2019-10-21 19:30:02 +00:00
|
|
|
---
|
|
|
|
title: "OVE-20191021-0001"
|
2019-10-21 19:32:50 +00:00
|
|
|
date: "2019-10-22"
|
2019-10-21 19:30:02 +00:00
|
|
|
tags:
|
|
|
|
- security
|
|
|
|
- release
|
|
|
|
- javascript
|
|
|
|
- mysql
|
|
|
|
- oh-dear-god
|
|
|
|
---
|
|
|
|
|
|
|
|
## Within Security Advisory
|
|
|
|
|
|
|
|
Multiple vulnerabilities in the mysqljs API and code.
|
|
|
|
|
|
|
|
Security Warning Level: yikes/10
|
|
|
|
|
|
|
|
## Summary
|
|
|
|
|
|
|
|
There are multiple issues exploitable by local and remote actors in
|
|
|
|
[mysqljs][mysqljs]. These can cause application data leaks, database leaks, SQL
|
|
|
|
injections, arbitrary code execution, and credential leaks among other things.
|
|
|
|
|
|
|
|
Mysqljs is unversioned, so it is very difficult to impossible to tell how many
|
|
|
|
users are affected by this and what users can do in order to ensure they are
|
|
|
|
patched against these critical vulnerabilities.
|
|
|
|
|
|
|
|
## Background
|
|
|
|
|
|
|
|
Mysqljs is a library intended to facilitate prototyping web applications and
|
|
|
|
mobile applications using technologies such as [PhoneGap][phonegap] or
|
|
|
|
[Cordova][cordova]. These technologies allow developers to create a web
|
|
|
|
application that gets packaged and presented to users as if it was a native
|
|
|
|
application.
|
|
|
|
|
|
|
|
This library is intended to help with developers creating persistent storage for
|
|
|
|
these applications.
|
|
|
|
|
|
|
|
## Issues in Detail
|
|
|
|
|
|
|
|
There are at least seven vulnerabilities with this library, each of them will be
|
|
|
|
outlined below with a fairly vague level of detail.
|
|
|
|
|
|
|
|
### mysql.js is NOT versioned
|
|
|
|
|
|
|
|
The only version information I was able to find are the following:
|
|
|
|
|
|
|
|
- The `Last-Modified` date of Friday, March 11 2016
|
|
|
|
- The `ETag` of `80edc3e5a87bd11:0`
|
|
|
|
|
|
|
|
These header values correlate to a vulnerable version of the mysql.js file.
|
|
|
|
|
|
|
|
An entire copy of this file is embedded for purposes of explanation:
|
|
|
|
|
|
|
|
```
|
|
|
|
var MySql = {
|
|
|
|
_internalCallback : function() { console.log("Callback not set")},
|
|
|
|
Execute: function (Host, Username, Password, Database, Sql, Callback) {
|
|
|
|
MySql._internalCallback = Callback;
|
|
|
|
// to-do: change localhost: to mysqljs.com
|
|
|
|
var strSrc = "http://mysqljs.com/sql.aspx?";
|
|
|
|
strSrc += "Host=" + Host;
|
|
|
|
strSrc += "&Username=" + Username;
|
|
|
|
strSrc += "&Password=" + Password;
|
|
|
|
strSrc += "&Database=" + Database;
|
|
|
|
strSrc += "&sql=" + Sql;
|
|
|
|
strSrc += "&Callback=MySql._internalCallback";
|
|
|
|
var sqlScript = document.createElement('script');
|
|
|
|
sqlScript.setAttribute('src', strSrc);
|
|
|
|
document.head.appendChild(sqlScript);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
### Fundamental Operation via Cross-Site Scripting
|
|
|
|
|
|
|
|
The code operates by creating a `<script>` element. The Javascript source of
|
|
|
|
this script is dynamically generated by the remote API server. This opens the
|
|
|
|
door for many kinds of Cross-Site Scripting attacks.
|
|
|
|
|
|
|
|
Especially because:
|
|
|
|
|
|
|
|
### Credentials Exposed over Plain HTTP
|
|
|
|
|
|
|
|
The script works by creating a `<script>` element pointed at a HTTP resource in
|
|
|
|
order to facilitate access to the MySQL Server. Line 6 shows that the API server
|
|
|
|
in question is being queried over UNENCRYPTED HTTP.
|
|
|
|
|
|
|
|
```
|
|
|
|
var strSrc = "http://mysqljs.com/sql.aspx?";
|
|
|
|
```
|
|
|
|
|
|
|
|
### Credentials and SQL Queries Are Not URL-Encoded Before Adding Them to a URL
|
|
|
|
|
|
|
|
Credentials and SQL queries are not URL-encoded before they are added to the
|
|
|
|
`strSrc` URL. This means that values may include other HTTP parameters that
|
|
|
|
could be evaluated, causing one of the two following:
|
|
|
|
|
|
|
|
### Potential for SQL Injection from Malformed User Input
|
|
|
|
|
|
|
|
It appears this API works by people submitting plain text SQL queries. It is
|
|
|
|
likely difficult to write these plain text queries in a way that avoids SQL
|
|
|
|
injection attacks.
|
|
|
|
|
|
|
|
### Potential for Arbitrary Code Execution
|
|
|
|
|
|
|
|
Combined with the previous issues, a SQL injection that inserts arbitrary
|
|
|
|
Javascript into the result will end up creating an arbitrary code execution bug.
|
|
|
|
This could let an attacker execute custom Javascript code on the page, which may
|
|
|
|
have even more disastrous consequences depending on the usage of this library.
|
|
|
|
|
|
|
|
### Server-Side Code has Unknown Logging Enabled
|
|
|
|
|
|
|
|
This means that user credentials and database results may be logged, stored and
|
|
|
|
leaked by the mysql.js API server without user knowledge. The server that is
|
|
|
|
running the API server may also do additional logging of database credentials
|
|
|
|
and results without user knowledge.
|
|
|
|
|
|
|
|
### Encourages Bad Practices
|
|
|
|
|
|
|
|
Mysql.js works by its API server dialing out an _UNENCRYPTED_ connection to your
|
|
|
|
MySQL server over the internet. This requires exposing your MySQL server to the
|
|
|
|
internet. This means that user credentials are vulnerable to anyone who has
|
|
|
|
packet capture abilities.
|
|
|
|
|
|
|
|
Mysql.js also encourages developers commit database credentials into their
|
|
|
|
application source code. Cursory searching of GitHub has found
|
|
|
|
[this][leakedcreds]. I can only imagine there are countless other potential
|
|
|
|
victims.
|
|
|
|
|
|
|
|
## Security Suggestions
|
|
|
|
|
|
|
|
- Do not, under any circumstances, allow connections to be made without the use
|
|
|
|
of TLS (HTTPS).
|
|
|
|
- Version the library.
|
|
|
|
- Offer the source code of the API server to allow users to inspect it and
|
|
|
|
ensure their credentials are not being stored by it.
|
|
|
|
- Detail how the IIS server powering this service is configured, proving that it
|
|
|
|
is not keeping unsanitized access logs.
|
|
|
|
- Ensure all logging methods sanitize or remove user credentials.
|
|
|
|
- URL-encode all values being sent as part of a URL.
|
|
|
|
- Do not have your service fundamentally operate as a Cross-Site Scripting
|
|
|
|
attack.
|
|
|
|
- Do not, under any circumstances, encourage developers to put database
|
|
|
|
credentials in the source code of front-end web applications.
|
|
|
|
|
|
|
|
In summary, we label this a solid yikes/10 in terms of security. It would be
|
|
|
|
advisable for current users of this library to re-evaluate the life decisions
|
|
|
|
that have lead them down this path.
|
|
|
|
|
|
|
|
## GReeTZ
|
|
|
|
|
|
|
|
Über thanks to [jadr2ddude][jaden] for helping with identifying the unfortunate
|
|
|
|
scope of these massive security issues.
|
|
|
|
|
|
|
|
Hyper thanks to [J][j] for coming up with a viable GitHub search for potentially
|
|
|
|
affected users.
|
|
|
|
|
|
|
|
[mysqljs]: http://www.mysqljs.com/
|
|
|
|
[phonegap]: https://phonegap.com/
|
|
|
|
[cordova]: https://cordova.apache.org/
|
|
|
|
[leakedcreds]: https://github.com/search?utf8=%E2%9C%93&q=%22https%3A%2F%2Fmysqljs.com%2Fmysql.js%22&type=Code
|
|
|
|
[jaden]: https://twitter.com/CompuJad
|
|
|
|
[j]: https://twitter.com/LombaxJay
|