[TYPO3] TYPO3 Security Bulletin TYPO3-2007070703-1: Multiple vulnerabilities in all variants of MySQLDumper

Lars Houmark lars at typo3.org
Tue Jul 3 23:58:14 CEST 2007 

Dear users of TYPO3,

Multiple vulnerabilities have been found in the third party extension  
"mysqldumper". Full read/write access to the connected database and  
other related issues.

==== Component Type ====
The TYPO3 extension mysqldumper is a third party software that is not
part of the TYPO3 default installation. Embedded in this extension is
the standalone PHP tool MySQLDumper (http://www.mysqldumper.de). The  
main
purpose of this tool is to create full backups of large MySQL databases
from a web interface without the need for a shell access. It also allows
to administrate MySQL databases.

==== Affected versions ===
a) TYPO3 extension mysqldumper: Version 0.0.5 and all versions below
b) Standalone releases of MySQLDumper: All currently available versions
from [1] (1.23_pre_release_REV227, 1.22, 1.21b).

Due to special circumstances the TYPO3 security team has decided to
address both users of the standalone tool and of the TYPO3 extension
with this bulletin. The reasons for this exceptional approach are
explained below (see "Background").

==== Vulnerability Type ====
Various vulnerabilities such as
a) Full read and write access to the connected MySQL database
b) Creation and download of database backups possible
c) Full admin backend access to a TYPO3 web site possible

==== Severity ====
HIGH

==== Problem Description ====
Two security holes were found.

1) Due to a critcal security issue in both the standalone version of
MySQLDumper and the TYPO3 extension mysqldumper the functionality of the
tool can be easily exploited by a malicious hacker. He can create and
download a database backup or read from / write to the MySQL database.

The built-in functionality of MySQLDumper to create a password
protection on Apache based web servers (using a combination of a
.htaccess and a .htpasswd file) does not offer sufficient protection due
to a weakness in the coding.

If an installation of MySQLDumper is locatable for an attacker due to a
guessable path, the full functionality of the tool is exploitable. This
is always the case for the TYPO3 extension mysqldumper, in which case
the path of the extension has to be static. It also applies to the
standalone tool if it should be reachable via a URL such as
"www.mydomain.tld/mysqldumper".

2) The TYPO3 extension mysqldumper 0.0.5 itself provides an
authentication check for a valid logged in TYPO3 backend user. But the
implementation of this check also contains a security hole that makes
the TYPO3 specific check unreliable.

==== Solution ====
A solution could be either

1) to delete the variant of MySQLDumper you are using from your  
server or

2) to take steps yourself to secure the tool by manually adding a
password protection (after deleting the .htaccess and .htpasswd files
that were generated by MySQLDumper). You should choose this option only
if you are confident that you have the relevant expertise to implement
the password protection properly.

Specific steps for users of the TYPO3 extension mysqldumper:

Use the TYPO3 backend module "Extension Manager" to deactivate the
extension and additionally delete its complete source code from your web
space. An updated and secured version of the extension is currently not
available.

There is also no secured version of the standalone tool MySQLDumper
available at this time from the mysqldumper download page on  
mysqldumper.de [1].

==== Outlook ====
We hope that the security issues found will be fixed soon by the authors
of the tool MySQLDumper.

The TYPO3 security team has the impression that the source code of the
tool MySQLDumper is generally fragile from a security perspective. The
security team has informed the author of the extension mysqldumper that
the extension will not be available from the TYPO3 extension repository
(TER2) until it has been reviewed by IT security experts and improved
according to our standards. We recommend that you do not to use versions
of the extension mysqldumper that may be available for download on third
party web sites if the extension mysqldumper is not part of TER2.

==== Background ====
We haven't got any cooperative reaction from any of the authors of
MySQLDumper to our mail from 12th June 2007 where we reported the
discovery of the latest found security hole. Until now we don't have any
evidence that
the authors of MySQLDumper are working on fixing the reported flaw.

In addition, an earlier and still ongoing cooperation with the author
of the TYPO3 extension mysqldumper to fix the second security issue
mentioned above has not been completely satisfying from
the perspective of the TYPO3 security team.

==== General advice ====
Follow the recommendations that are given in the TYPO3 Security  
Cookbook [2].

==== Related information ====
Before releasing this bulletin, Bugtrac has been informed. See [3]  
for more information.

==== Credits ====
Credits go to security team member Henning Pingel who found all known
security holes in the extension mysqldumper and the standalone tool
MySQLDumper.

[1] http://www.mysqldumper.de/board/downloads.php?cat=2
[2] http://typo3.org/fileadmin/security-team/ 
typo3_security_cookbook_v-0.5.pdf
[3] http://www.securityfocus.com/archive/1/472756/30/0/threaded

Regards,

Lars Houmark
lars at typo3.org

More information about the TYPO3-english mailing list