Source: PSIRT-CNA@flexerasoftware.com
export.php in The Address Book 1.04e writes username and password hash information into a publicly accessible file when dumping the MySQL database contents, which allows remote attackers to obtain sensitive information.
The Address Book 1.04e suffers from a critical vulnerability where the export.php script exposes user credentials, including hashed passwords, in a publicly accessible file. This allows attackers to easily obtain sensitive information, leading to account compromise and potential system takeover. Exploitation is straightforward, requiring only a crafted request to retrieve the compromised database dump.
Step 1: Access the Vulnerable Script: The attacker identifies the location of export.php on the target server, typically by browsing the application's directory structure or through reconnaissance.
Step 2: Trigger the Export: The attacker sends a request to export.php, which initiates the database export process. The exact parameters needed to trigger the export might vary, but the core functionality is to dump the database contents.
Step 3: Retrieve the Exported File: The script generates a database dump file, usually with a predictable name or location within the web server's document root. The attacker then accesses this file directly via a web browser or other HTTP client.
Step 4: Extract Credentials: The attacker parses the contents of the exported file, which contains the usernames and password hashes. These hashes can then be cracked using tools like John the Ripper or Hashcat to obtain the plain-text passwords, enabling account compromise.
The vulnerability stems from a design flaw in export.php within The Address Book 1.04e. The script, intended to export the MySQL database, inadvertently includes sensitive information such as usernames and password hashes within the exported file. The root cause is a lack of proper access control and data sanitization before writing the database dump to a publicly accessible location. The script fails to filter or redact sensitive data before the export, making it readily available to anyone with access to the exported file. This is a classic example of information disclosure due to insufficient security measures during data handling and export.
This vulnerability is likely targeted by opportunistic attackers seeking easy access to credentials. While no specific APT groups are directly linked to this specific CVE, the ease of exploitation makes it attractive to a wide range of threat actors. This type of vulnerability is often used as an initial access vector. CISA KEV: Not Listed
Monitor web server access logs for requests to export.php or similar file names associated with database exports.
Analyze the contents of web server directories for unexpected or publicly accessible database dump files.
Implement file integrity monitoring to detect unauthorized modifications to application files, including export.php.
Network Intrusion Detection Systems (NIDS) can be configured to detect suspicious HTTP requests targeting export.php or similar endpoints.
Immediately upgrade to a patched version of The Address Book or, if unavailable, migrate to a more secure address book application.
If upgrading is not possible, remove the export.php file or disable its functionality entirely.
Implement strong access controls to restrict access to the web server's document root and sensitive files.
Review and harden the web server configuration to prevent unauthorized access and information disclosure.
Regularly scan the system for known vulnerabilities using vulnerability scanners.
Implement a Web Application Firewall (WAF) to filter malicious requests.
Rotate credentials regularly.