 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Fri, 13 Jul 2001 12:18:12 -0400 From: qDefense Advisories <advisories@qDefense.com> To: bugtraq@securityfocus.com Subject: AdCycle SQL Command Insertion Vulnerability - qDefense Advisory Number QDAV-2001-7-2 AdCycle SQL Command Insertion Vulnerability qDefense Advisory Number QDAV-2001-7-2 Product: AdCycle Vendor: AdCyle (http://adcycle.com) Severity: Remote; Attacker may gain AdCycle administrator status Versions Affected: Versions up to and including 1.15 Vendor Status: Vendor contacted; has released new version, 1.16, which is=20 not vulnerable Cause: Failure to validate input In Short: AdCycle does not propely validate the user input. This input is=20 used to form SQL commands, which are passed to a mySQL database. By=20 submitting cleverly crafted input, an attacker can bypass the administrator= =20 password check. The current version of this document is available at=20 http://qDefense.com/Advisories/QDAV-2001-7-2.html. Details: In file AdLogin.pm, AdCycle uses the following SQL command to authenticate= =20 a user signing in: "SELECT * FROM ad WHERE LOGIN=3D'$account' AND PASSWORD=3D'$password'" If an attacker signs in, using a account name of "ADMIN" and a password of X ' OR 1 # an attacker can cause AdCycle to use the following SQL command: "SELECT * FROM ad WHERE LOGIN=3D'ADMIN' AND PASSWORD=3D'X' OR 1 #' The pound sign cause mySQL to ignore the trailing single quote. Since anything OR 1 is true, the query will return a recordset, and AdCycle= =20 will think that the attacker has authenticated as administrator. Administrator status allows one to modify the various ads. qDefense has not= =20 determined if an attacker can cause command execution using this technique. Solution: AdCylce has released an upgrade, version 1.16, which validates user input. qDefense would like to thank AdCycle for their prompt response on this= issue. =A9 2001 qDefense Information Security Consultants. qDefense is a subsidiary= =20 of Computer Modeling Corp. This document may be reproduced, in whole or in part, provided that no=20 modifications are made and that proper credit is given. Additionally, if it= =20 is made available through hypertext, it must be accompanied by a link to=20 the qDefense web site, http://qdefense.com. qDefense Advisories advisories@qDefense.com qDefense - DEFENDING THE ELECTRONIC FRONTIER qDefense offers a wide variety of security services See http://qDefense.com/Services
| |||||||||||||||||||||
|
|