From 7d8ea1e2c914031cdb52ea86e02081245fc5230f Mon Sep 17 00:00:00 2001 From: Christine Dodrill Date: Mon, 21 Oct 2019 15:30:02 -0400 Subject: [PATCH] blog: OVE-20191021-0001 (#88) --- blog/OVE-20191021-0001.md | 166 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100644 blog/OVE-20191021-0001.md diff --git a/blog/OVE-20191021-0001.md b/blog/OVE-20191021-0001.md new file mode 100644 index 0000000..8ec1edd --- /dev/null +++ b/blog/OVE-20191021-0001.md @@ -0,0 +1,166 @@ +--- +title: "OVE-20191021-0001" +date: "2019-10-21" +tags: + - security + - release + - javascript + - mysql + - oh-dear-god +--- + +# OVE-20191021-0001 + +## Within Security Advisory + +Multiple vulnerabilities in the mysqljs API and code. + +Security Warning Level: yikes/10 + +## Summary + +There are multiple issues exploitable by local and remote actors in +[mysqljs][mysqljs]. These can cause application data leaks, database leaks, SQL +injections, arbitrary code execution, and credential leaks among other things. + +Mysqljs is unversioned, so it is very difficult to impossible to tell how many +users are affected by this and what users can do in order to ensure they are +patched against these critical vulnerabilities. + +## Background + +Mysqljs is a library intended to facilitate prototyping web applications and +mobile applications using technologies such as [PhoneGap][phonegap] or +[Cordova][cordova]. These technologies allow developers to create a web +application that gets packaged and presented to users as if it was a native +application. + +This library is intended to help with developers creating persistent storage for +these applications. + +## Issues in Detail + +There are at least seven vulnerabilities with this library, each of them will be +outlined below with a fairly vague level of detail. + +### mysql.js is NOT versioned + +The only version information I was able to find are the following: + +- The `Last-Modified` date of Friday, March 11 2016 +- The `ETag` of `80edc3e5a87bd11:0` + +These header values correlate to a vulnerable version of the mysql.js file. + +An entire copy of this file is embedded for purposes of explanation: + +``` +var MySql = { + _internalCallback : function() { console.log("Callback not set")}, + Execute: function (Host, Username, Password, Database, Sql, Callback) { + MySql._internalCallback = Callback; + // to-do: change localhost: to mysqljs.com + var strSrc = "http://mysqljs.com/sql.aspx?"; + strSrc += "Host=" + Host; + strSrc += "&Username=" + Username; + strSrc += "&Password=" + Password; + strSrc += "&Database=" + Database; + strSrc += "&sql=" + Sql; + strSrc += "&Callback=MySql._internalCallback"; + var sqlScript = document.createElement('script'); + sqlScript.setAttribute('src', strSrc); + document.head.appendChild(sqlScript); + } +} +``` + +### Fundamental Operation via Cross-Site Scripting + +The code operates by creating a `