Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Contact #10

Open
mal-tee opened this issue Jan 23, 2024 · 3 comments
Open

Security Contact #10

mal-tee opened this issue Jan 23, 2024 · 3 comments

Comments

@mal-tee
Copy link

mal-tee commented Jan 23, 2024

Hello maintainer(s),

I am a security researcher from the Institute of Application Security at TU Braunschweig, Germany. We discovered a (potential) security vulnerability in your project.

We would like to report this vulnerability to you in a responsible and ethical manner.
Therefore, we do not want to disclose any details of the vulnerability publicly until you have had a chance to review and fix it.

Could you please let us know your prefered way of receiving security reports?

You can contact us at [email protected] or by replying to this issue.

Thank you for your attention and cooperation.
@mal-tee
Copy link
Author

mal-tee commented Mar 27, 2024

Dear maintainer(s),

I am getting in touch again to ask you for a security contact. We want to disclose a (potential) security vulnerability in your project responsibly. Feel free to respond with your preferred method of disclosure in this issue or via email: [email protected]

Please note that we anticipate to release our findings later this year.

Thank You

@Frecuencio
Copy link
Owner

Hi there,

I appreciate your message regarding the project. I am interested in understanding the issue you are describing. Please feel free to share it in this thread. This project is not actively developed at the moment, but I will do my best to address and resolve any issues that arise.

Looking forward to hearing more details. Thank you.

@mal-tee
Copy link
Author

mal-tee commented Jul 31, 2024

Hi,

you use user input with file_get_contents here:

sqlbuddy-php7/serve.php

Lines 70 to 97 in 6614b9d

$filename = $_GET['file'];
if (!(strpos($filename, "css/") === 0 || strpos($filename, "themes/") === 0 || strpos($filename, "js/") === 0))
exit;
if (strpos($filename, "..") !== false)
exit;
if (file_exists($filename)) {
if (extension_loaded('zlib') && ((isset($sbconfig['EnableGzip']) && $sbconfig['EnableGzip'] == true) || !isset($sbconfig['EnableGzip']))) {
ob_start("ob_gzhandler");
} else {
ob_start();
}
$last_modified_time = filemtime($filename);
$etag = md5_file($filename);
header("Last-Modified: " . gmdate("D, d M Y H:i:s", $last_modified_time) . " GMT");
header("Expires: " . gmdate("D, d M Y H:i:s", time()+24*60*60*60) . " GMT");
header("Etag: $etag");
if ((array_key_exists('HTTP_IF_MODIFIED_SINCE', $_SERVER) && @strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) == $last_modified_time) || (array_key_exists('HTTP_IF_NONE_MATCH', $_SERVER) && trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag)) {
header("HTTP/1.1 304 Not Modified");
exit;
}
$contents = file_get_contents($filename);

You check for Local File Inclusion (".."), but users might be able to request arbitrary network resources since file_get_contents can also conduct network requests. Since you are using file_exists only those schemes can be used that are stat-able, but an attacker might trigger a FTP request via an ftp:// URL. This is called Server-Side Request Forgery, you can learn more about at at OWASP: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Frecuencio @mal-tee