--- title: "OVE-20191021-0001" date: "2019-10-21" tags: - security - release - javascript - mysql - oh-dear-god --- # OVE-20191021-0001 ## Within Security Advisory Multiple vulnerabilities in the mysqljs API and code. Security Warning Level: yikes/10 ## Summary There are multiple issues exploitable by local and remote actors in [mysqljs][mysqljs]. These can cause application data leaks, database leaks, SQL injections, arbitrary code execution, and credential leaks among other things. Mysqljs is unversioned, so it is very difficult to impossible to tell how many users are affected by this and what users can do in order to ensure they are patched against these critical vulnerabilities. ## Background Mysqljs is a library intended to facilitate prototyping web applications and mobile applications using technologies such as [PhoneGap][phonegap] or [Cordova][cordova]. These technologies allow developers to create a web application that gets packaged and presented to users as if it was a native application. This library is intended to help with developers creating persistent storage for these applications. ## Issues in Detail There are at least seven vulnerabilities with this library, each of them will be outlined below with a fairly vague level of detail. ### mysql.js is NOT versioned The only version information I was able to find are the following: - The `Last-Modified` date of Friday, March 11 2016 - The `ETag` of `80edc3e5a87bd11:0` These header values correlate to a vulnerable version of the mysql.js file. An entire copy of this file is embedded for purposes of explanation: ``` var MySql = { _internalCallback : function() { console.log("Callback not set")}, Execute: function (Host, Username, Password, Database, Sql, Callback) { MySql._internalCallback = Callback; // to-do: change localhost: to mysqljs.com var strSrc = "http://mysqljs.com/sql.aspx?"; strSrc += "Host=" + Host; strSrc += "&Username=" + Username; strSrc += "&Password=" + Password; strSrc += "&Database=" + Database; strSrc += "&sql=" + Sql; strSrc += "&Callback=MySql._internalCallback"; var sqlScript = document.createElement('script'); sqlScript.setAttribute('src', strSrc); document.head.appendChild(sqlScript); } } ``` ### Fundamental Operation via Cross-Site Scripting The code operates by creating a `