- Posts: 4
COMMUNITY FORUM
MySQLStorage.sql visible on web - why?
- bill hyde
-
Topic Author
- Offline
- New Member
Less
More
5 years 5 months ago #170003
by bill hyde
MySQLStorage.sql visible on web - why? was created by bill hyde
Hi,
I use myjoomla to check vulnerabilities on my Joomla based sites.
One site is also running K2 v2.9.0 and the following has been flagged as a vulnerability:
/media/k2/assets/vendors/studio-42/elfinder.1/php/MySQLStorage.sql
When I tried this myself on the site - www.weekendrails.co.uk - I was able to get a download window open which would enable anyone to down thte MySQL storage for the site and potentially be able to engineer hacks from that detail.
What I do not understand is why this even exists within the installation and can I disable or even remove it entirely?
Any advise would be helpful
Thx Bill
I use myjoomla to check vulnerabilities on my Joomla based sites.
One site is also running K2 v2.9.0 and the following has been flagged as a vulnerability:
/media/k2/assets/vendors/studio-42/elfinder.1/php/MySQLStorage.sql
When I tried this myself on the site - www.weekendrails.co.uk - I was able to get a download window open which would enable anyone to down thte MySQL storage for the site and potentially be able to engineer hacks from that detail.
What I do not understand is why this even exists within the installation and can I disable or even remove it entirely?
Any advise would be helpful
Thx Bill
Please Log in or Create an account to join the conversation.
- JoomlaWorks
-
- Offline
- Admin
Less
More
- Posts: 6211
5 years 5 months ago #170017
by JoomlaWorks
Fotis / JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)
Replied by JoomlaWorks on topic MySQLStorage.sql visible on web - why?
This file comes with the elFinder widget which is used for the K2 Media Manager. It does not have any SQL schema related to Joomla or K2. It is not used anywhere. It's just part of the source code of that widget. Nothing more.
In other words, you can safely ignore it. Myjoomla (which you mentioned) probably runs generic checks on .sql files. That doesn't mean this is a vulnerability.
In other words, you can safely ignore it. Myjoomla (which you mentioned) probably runs generic checks on .sql files. That doesn't mean this is a vulnerability.
Fotis / JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)
Please Log in or Create an account to join the conversation.
- bill hyde
-
- Offline
- New Member
Less
More
- Posts: 4
5 years 5 months ago #170022
by bill hyde
Replied by bill hyde on topic MySQLStorage.sql visible on web - why?
Thanks for your reply. The sql that link does allow you to download contains a table of nulls - could I disable that table to stop people accessing it via a browser?
Please Log in or Create an account to join the conversation.
- JoomlaWorks
-
- Offline
- Admin
Less
More
- Posts: 6211
5 years 5 months ago #170030
by JoomlaWorks
Fotis / JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)
Replied by JoomlaWorks on topic MySQLStorage.sql visible on web - why?
You can safely delete that file, it's like a text file. Doesn't do anything and it cannot be "read" or processed by the browser.
Fotis / JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)
Please Log in or Create an account to join the conversation.
- bill hyde
-
- Offline
- New Member
Less
More
- Posts: 4
5 years 5 months ago #170032
by bill hyde
Replied by bill hyde on topic MySQLStorage.sql visible on web - why?
Thanks very much, thanks for help.
Please Log in or Create an account to join the conversation.
- JoomlaWorks
-
- Offline
- Admin
Less
More
- Posts: 6211
5 years 5 months ago #170042
by JoomlaWorks
Fotis / JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)
Replied by JoomlaWorks on topic MySQLStorage.sql visible on web - why?
You're welcome :)
Fotis / JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)
Please Log in or Create an account to join the conversation.
- Phil Taylor
-
- Offline
- New Member
Less
More
- Posts: 1
5 years 5 months ago #170087
by Phil Taylor
Factually incorrect.
What we ACTUALLY say on the learn more page is:
Kindest regards
Phil.
Replied by Phil Taylor on topic MySQLStorage.sql visible on web - why?
bill hyde wrote: Hi,
I use myjoomla to check vulnerabilities on my Joomla based sites.
One site is also running K2 v2.9.0 and the following has been flagged as a vulnerability:
Factually incorrect.
What we ACTUALLY say on the learn more page is:
We highly recommend that you look through the list of files we are reporting and see if you want these files on your website, they *MAY* be leaking your whole sites database, or worse, be left over from data imports and the like
This is a valid check because we see time and time again, people leaving files like backup.sql or site.sql in the root of their site, and hackers know that, and scan for these kinds of things.
For example, www.google.je/search?q=%22backup.sql%22+ext%3AsqlTHIS LINK TO GOOGLE , how many backup.sql files can you see for live sites? click around the search results and you will see LIVE SITES data, that is how easy it is to hack a whole sites database by not following best-practice.
Check each file and if you are happy - then we are happy.
We are fully aware there will be false positives, including the installation sql files for extensions. We will filter out the core Joomla install sql files, but will WILL show everything else.
The exact pattern we match on will also find akeeba backup restoration sql files.
Kindest regards
Phil.
Please Log in or Create an account to join the conversation.