TYPO3-20070703-1: Multiple vulnerabilities in all variants of MySQLDumper
July 03, 2007
Category: TYPO3 Extension
Multiple vulnerabilities have been found in the third party extension "mysqldumper". Full read/write access to the connected database and other related issues.
Component Type: Third party extension. This extension is not part of the TYPO3 default installation
a) TYPO3 extension mysqldumper: Version 0.0.5 and all versions below
b) Standalone releases of MySQLDumper: All currently available versions
(1.23_pre_release_REV227, 1.22, 1.21b)
Due to special circumstances the TYPO3 security team has decided to address both users of the standalone tool and of the TYPO3 extension with this bulletin. The reasons for this exceptional approach are explained below (see "Background").
Various vulnerabilities such as
a) Full read and write access to the connected MySQL database
b) Creation and download of database backups possible
c) Full admin backend access to a TYPO3 web site possible
Two security holes were found.
1) Due to a critcal security issue in both the standalone version of MySQLDumper and the TYPO3 extension mysqldumper the functionality of the tool can be easily exploited by a malicious hacker. He can create and download a database backup or read from / write to the MySQL database.
The built-in functionality of MySQLDumper to create a password protection on Apache based web servers (using a combination of a .htaccess and a .htpasswd file) does not offer sufficient protection due to a weakness in the coding.
If an installation of MySQLDumper is locatable for an attacker due to a guessable path, the full functionality of the tool is exploitable. This is always the case for the TYPO3 extension mysqldumper, in which case the path of the extension has to be static. It also applies to the standalone tool if it should be reachable via a URL such as "www.mydomain.tld/mysqldumper".
2) The TYPO3 extension mysqldumper 0.0.5 itself provides an authentication check for a valid logged in TYPO3 backend user. But the implementation of this check also contains a security hole that makes the TYPO3 specific check unreliable.
A solution could be either
1) to delete the variant of MySQLDumper you are using from your server or
2) to take steps yourself to secure the tool by manually adding a password protection (after deleting the .htaccess and .htpasswd files that were generated by MySQLDumper). You should choose this option only if you are confident that you have the relevant expertise to implement the password protection properly.
Specific steps for users of the TYPO3 extension mysqldumper:
Use the TYPO3 backend module "Extension Manager" to deactivate the extension and additionally delete its complete source code from your web space. An updated and secured version of the extension is currently not available.
There is also no secured version of the standalone tool MySQLDumper available at this time from the mysqldumper download page on mysqldumper.de:
We hope that the security issues found will be fixed soon by the authors
of the tool MySQLDumper.
The TYPO3 security team has the impression that the source code of the tool MySQLDumper is generally fragile from a security perspective. The security team has informed the author of the extension mysqldumper that the extension will not be available from the TYPO3 extension repository (TER2) until it has been reviewed by IT security experts and improved according to our standards. We recommend that you do not to use versions of the extension mysqldumper that may be available for download on third party web sites if the extension mysqldumper is not part of TER2.
We haven't got any cooperative reaction from any of the authors of MySQLDumper to our mail from 12th June 2007 where we reported the discovery of the latest found security hole. Until now we don't have any evidence that the authors of MySQLDumper are working on fixing the reported flaw.
In addition, an earlier and still ongoing cooperation with the author of the TYPO3 extension mysqldumper to fix the second security issue mentioned above has not been completely satisfying from the perspective of the TYPO3 security team.
General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook.
Related information: Before releasing this bulletin, Bugtrac has been informed. See http://www.securityfocus.com/archive/1/472756/30/0/threaded for more information.
The official bugtraq bulletin page is: http://www.securityfocus.com/bid/24759
Credits: Credits go to security team member Henning Pingel who found all known
security holes in the extension mysqldumper and the standalone tool MySQLDumper.