Keyword

MySQLStorage.sql visible on web - why?

  • bill hyde
  • bill hyde's Avatar Topic Author
  • Offline
  • New Member
More
2 weeks 2 days ago #170003 by bill hyde
bill hyde created the topic: MySQLStorage.sql visible on web - why?
Hi,
I use myjoomla to check vulnerabilities on my Joomla based sites.
One site is also running K2 v2.9.0 and the following has been flagged as a vulnerability:
/media/k2/assets/vendors/studio-42/elfinder.1/php/MySQLStorage.sql
When I tried this myself on the site - www.weekendrails.co.uk - I was able to get a download window open which would enable anyone to down thte MySQL storage for the site and potentially be able to engineer hacks from that detail.

What I do not understand is why this even exists within the installation and can I disable or even remove it entirely?

Any advise would be helpful

Thx Bill

Please Log in or Create an account to join the conversation.

  • Fotis
  • Fotis's Avatar
  • Offline
  • Administrator
  • JoomlaWorks Support Team
More
2 weeks 2 days ago #170017 by Fotis
Fotis replied the topic: MySQLStorage.sql visible on web - why?
This file comes with the elFinder widget which is used for the K2 Media Manager. It does not have any SQL schema related to Joomla or K2. It is not used anywhere. It's just part of the source code of that widget. Nothing more.

In other words, you can safely ignore it. Myjoomla (which you mentioned) probably runs generic checks on .sql files. That doesn't mean this is a vulnerability.


If you use & love K2, please take a moment to add your review and rate it
at the Joomla Extensions Directory: extensions.joomla.org/extension/k2/


IMPORTANT: Please search the forum before posting a question!

JoomlaWorks Support Team Member

Please Log in or Create an account to join the conversation.

  • bill hyde
  • bill hyde's Avatar Topic Author
  • Offline
  • New Member
More
2 weeks 1 day ago #170022 by bill hyde
bill hyde replied the topic: MySQLStorage.sql visible on web - why?
Thanks for your reply. The sql that link does allow you to download contains a table of nulls - could I disable that table to stop people accessing it via a browser?

Please Log in or Create an account to join the conversation.

  • Fotis
  • Fotis's Avatar
  • Offline
  • Administrator
  • JoomlaWorks Support Team
More
2 weeks 1 day ago #170030 by Fotis
Fotis replied the topic: MySQLStorage.sql visible on web - why?
You can safely delete that file, it's like a text file. Doesn't do anything and it cannot be "read" or processed by the browser.


If you use & love K2, please take a moment to add your review and rate it
at the Joomla Extensions Directory: extensions.joomla.org/extension/k2/


IMPORTANT: Please search the forum before posting a question!

JoomlaWorks Support Team Member

Please Log in or Create an account to join the conversation.

  • bill hyde
  • bill hyde's Avatar Topic Author
  • Offline
  • New Member
More
2 weeks 1 day ago #170032 by bill hyde
bill hyde replied the topic: MySQLStorage.sql visible on web - why?
Thanks very much, thanks for help.

Please Log in or Create an account to join the conversation.

  • Fotis
  • Fotis's Avatar
  • Offline
  • Administrator
  • JoomlaWorks Support Team
More
2 weeks 1 day ago #170042 by Fotis
Fotis replied the topic: MySQLStorage.sql visible on web - why?
You're welcome :)


If you use & love K2, please take a moment to add your review and rate it
at the Joomla Extensions Directory: extensions.joomla.org/extension/k2/


IMPORTANT: Please search the forum before posting a question!

JoomlaWorks Support Team Member

Please Log in or Create an account to join the conversation.

More
1 week 5 days ago #170087 by Phil Taylor
Phil Taylor replied the topic: MySQLStorage.sql visible on web - why?

bill hyde wrote: Hi,
I use myjoomla to check vulnerabilities on my Joomla based sites.
One site is also running K2 v2.9.0 and the following has been flagged as a vulnerability:


Factually incorrect.

What we ACTUALLY say on the learn more page is:

We highly recommend that you look through the list of files we are reporting and see if you want these files on your website, they *MAY* be leaking your whole sites database, or worse, be left over from data imports and the like

This is a valid check because we see time and time again, people leaving files like backup.sql or site.sql in the root of their site, and hackers know that, and scan for these kinds of things.

For example, https://www.google.je/search?q=%22backup.sql%22+ext%3AsqlTHIS LINK TO GOOGLE , how many backup.sql files can you see for live sites? click around the search results and you will see LIVE SITES data, that is how easy it is to hack a whole sites database by not following best-practice.

Check each file and if you are happy - then we are happy.

We are fully aware there will be false positives, including the installation sql files for extensions. We will filter out the core Joomla install sql files, but will WILL show everything else.

The exact pattern we match on will also find akeeba backup restoration sql files.


Kindest regards
Phil.

Please Log in or Create an account to join the conversation.

Moderators: william white