[21517] in bugtraq
AdCycle SQL Command Insertion Vulnerability - qDefense
daemon@ATHENA.MIT.EDU (qDefense Advisories)
Mon Jul 16 00:48:47 2001
Message-Id: <4.3.2.7.2.20010713121650.00b41b60@compumodel.com>
Date: Fri, 13 Jul 2001 12:18:12 -0400
To: bugtraq@securityfocus.com
From: qDefense Advisories <advisories@qDefense.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: 8bit
AdCycle SQL Command Insertion Vulnerability
qDefense Advisory Number QDAV-2001-7-2
Product: AdCycle
Vendor: AdCyle (http://adcycle.com)
Severity: Remote; Attacker may gain AdCycle administrator status
Versions Affected: Versions up to and including 1.15
Vendor Status: Vendor contacted; has released new version, 1.16, which is
not vulnerable
Cause: Failure to validate input
In Short: AdCycle does not propely validate the user input. This input is
used to form SQL commands, which are passed to a mySQL database. By
submitting cleverly crafted input, an attacker can bypass the administrator
password check.
The current version of this document is available at
http://qDefense.com/Advisories/QDAV-2001-7-2.html.
Details:
In file AdLogin.pm, AdCycle uses the following SQL command to authenticate
a user signing in:
"SELECT * FROM ad WHERE LOGIN='$account' AND PASSWORD='$password'"
If an attacker signs in, using a account name of "ADMIN" and a password of
X ' OR 1 #
an attacker can cause AdCycle to use the following SQL command:
"SELECT * FROM ad WHERE LOGIN='ADMIN' AND PASSWORD='X' OR 1 #'
The pound sign cause mySQL to ignore the trailing single quote.
Since anything OR 1 is true, the query will return a recordset, and AdCycle
will think that the attacker has authenticated as administrator.
Administrator status allows one to modify the various ads. qDefense has not
determined if an attacker can cause command execution using this technique.
Solution:
AdCylce has released an upgrade, version 1.16, which validates user input.
qDefense would like to thank AdCycle for their prompt response on this issue.
© 2001 qDefense Information Security Consultants. qDefense is a subsidiary
of Computer Modeling Corp.
This document may be reproduced, in whole or in part, provided that no
modifications are made and that proper credit is given. Additionally, if it
is made available through hypertext, it must be accompanied by a link to
the qDefense web site, http://qdefense.com.
qDefense Advisories
advisories@qDefense.com
qDefense - DEFENDING THE ELECTRONIC FRONTIER
qDefense offers a wide variety of security services
See http://qDefense.com/Services
