Dynmap: Source Code Disclosure - Detectify

Created on 27 Sep 2016  ·  17Comments  ·  Source: webbukkit/dynmap

GET /standalone/MySQL_access.php HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Detectify) +https://detectify.com/bot/fd15421794cc1529da604605edacccce62dbff18
Accept-Encoding
gzip, deflate
Accept-Language
en-US
Accept
text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,_/_; q=0.8
Host
mydomain
Cookie
JSESSIONID=1p33jjy454nxr170hwi0jw9kth
Cache-Control
no-store, no-cache
Pragma
no-cache
Response Headers
HTTP/1.1 200 OK
Strict-Transport-Security
max-age=15552000; includeSubDomains
Content-Length
132
Date
Tue, 27 Sep 2016 14:13:27 GMT
Last-Modified
Mon, 22 Aug 2016 18:58:29 GMT
Server
Jetty(8.y.z-SNAPSHOT)

RESULT:

require_once('MySQL_funcs.php');

if ($loginenabled) {
$rslt = getStandaloneFile('dynmap_access.php');
eval($rslt);
}
?>

All 17 comments

Also

text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,_/_; q=0.8

echo "

500 Error

";
echo $errormsg;
cleanupDb();
exit;
}

function initDbIfNeeded() {
global $db, $dbhost, $dbuserid, $dbpassword, $dbname, $dbport;

if (!$db) {
$db = mysqli_connect('p:' . $dbhost, $dbuserid, $dbpassword, $dbname, $dbport);
if (mysqli_connect_errno()) {
abortDb("Error opening database");
}
}
}

function getStandaloneFileByServerId($fname, $sid) {
global $db, $dbprefix;

initDbIfNeeded();
$stmt = $db->prepare('SELECT Content from ' . $dbprefix . 'StandaloneFiles WHERE FileName=? AND ServerID=?');
$stmt->bind_param('si', $fname, $sid);
$res = $stmt->execute();
$stmt->store_result();
$stmt->

Also:
text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,_/_; q=0.8
echo "

500 Error

";
echo $errormsg;
cleanupDb();
exit;
}

function initDbIfNeeded() {
global $db, $dbhost, $dbuserid, $dbpassword, $dbname, $dbport;

if (!$db) {
$db = mysqli_connect('p:' . $dbhost, $dbuserid, $dbpassword, $dbname, $dbport);
if (mysqli_connect_errno()) {
abortDb("Error opening database");
}
}
}

function getStandaloneFileByServerId($fname, $sid) {
global $db, $dbprefix;

initDbIfNeeded();
$stmt = $db->prepare('SELECT Content from ' . $dbprefix . 'StandaloneFiles WHERE FileName=? AND ServerID=?');
$stmt->bind_param('si', $fname, $sid);
$res = $stmt->execute();
$stmt->store_result();
$stmt->

ob_start();
require_once('MySQL_funcs.php');
include('MySQL_config.php');
require('MySQL_getlogin.php');
ob_end_clean();

session_start();

if(isset($_POST['j_password'])) {
$password = $_POST['j_password'];
}
else {
$password = '';
}
if(isset($_POST['j_verify_password'])) {
$verify = $_POST['j_verify_password'];
}
else {
$verify = '';
}
if(strcmp($password, $verify)) {
echo "{ \"result\": \"verifyfailed\" }";
return;
}

if(isset($_POST['j_username'])) {
$userid = $_POST['j_username'];
}
else {
$userid = '-guest-';
}
if(isset($_POST['j_passcode'])) {
$passcode = $_POST['j_passcode'];
}
else {
$passcode = '';
}
$good = false;

$useridlc = strtolower($userid);

$_SESSION['userid'] = '-guest-';

$good = false;

if(strcmp($useridlc, '-guest-')) {
if(isset($pendingreg[$useridlc])) {
if(!strcmp($passcode, $pendingreg[$useridlc])) {
$ctx = hash_init('sha256');
hash_update($ctx, $pwdsalt);
hash_update($ctx, $password);
$hash = hash_final($ctx);
$_SESSION['userid'] = $userid;
$good = true;
$newlines[] = arra

This should not be accessible in the webbrowser.
Live example:
https://mc.selea.se/standalone/MySQL_register.php

the map is here:
https://mc.selea.se/map

Tip: Enclose the code in three ticks (```) on top and bottom, like so:

(code)

As for your webserver disclosing PHP codes, it looks like your webserver wasn't set up properly. Did you install the PHP driver for your webserver?

I just checked out your website. It says that it's run on Jetty, which most likely means you're using the Dynmap's built-in webserver. You don't need to worry about the standalone directory; it's for running the web portion of Dynmap through a separate "standalone" web server.

Yes, it is using the build in webbserver. I just use a reverseproxy do add some https support.

Can I enclose the code in the standalone webserver for dynmap? Would be nice

There's a whole wiki article on how to run the dynmap on an external web server. That's what my server is doing. If you want to take a look, check http://game.arcaneminecraft.com/dynmap/ out and turn on the developer tools (via [F12]). It's using Lighttpd.

The wiki page: https://github.com/webbukkit/dynmap/wiki/Setting-up-without-the-Internal-Web-Server

As long I can ReverseProxy it via apache.
I currently have one webbserver mod mod_ssl, mod_proxy and mod_security2.
My other servers is running "behind" my webbserver. Just to make thing easier.

If it works, it works ¯_(ツ)_/¯

Í didn't exactly understand proxy, and I wanted dynmap to take the simplest route without having to go through outside network, so I went for lighttpd.

Anyhow, the source codes for everything in the web/standalone directory are in here: https://github.com/webbukkit/DynmapCore/tree/master/src/main/resources/extracted/web/standalone

This is a misconfigred web server - make sure your server is configured to execute PHP versus just return it: not a Dynnap issue.

@mikeprimm
How can this be missconfigured when it is the internal one that is delivered with dynmap?

It seems that you did not read the thread, and I have no idea why you closed it.

The internal web server doesn't USE the PHP scripts.... they are only for use with external web servers, like Apache. The built in server neither needs them nor supports PHP scripts.

So I can just delete the files then? Is that what you are saying?
As I said, I just use Apache as a ReverseProxy so dynmap is NOT running in apache, only the build it webserver that is delivered with the plugin itself.

And if the files comes by default with the plugin you first messages should not be:
"This is a misconfigred web server - make sure your server is configured to execute PHP versus just return it: not a Dynnap issue."

Because the files CLEARLY is delivered anyway - This makes it a dynmap "issue".

Steps to reproduce:

Visit your dynmap:
http://IPADDRESS:8123/standalone/MySQL_register.php

Can I deleted the files?
@mikeprimm
@SimonOrJ

You can remove any PHP files from your install if you are using the internal web server - they are only there for use with an external web server, like Apache.

@mikeprimm
Alright, thanks!
Guess my server was not missconfigured then ;) ;) ;) ;)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

mibby picture mibby  ·  4Comments

fuwwy picture fuwwy  ·  3Comments

DraxxisGH picture DraxxisGH  ·  3Comments

Marbel picture Marbel  ·  3Comments

Military-Doctor picture Military-Doctor  ·  3Comments