Date: Fri, 13 Jul 2001 12:18:12 -0400
From: qDefense Advisories <[email protected]>
To: [email protected]Subject: AdCycle SQL Command Insertion Vulnerability - qDefense Advisory Number QDAV-2001-7-2
AdCycle SQL Command Insertion Vulnerability
qDefense Advisory Number QDAV-2001-7-2
Product: AdCycle
Vendor: AdCyle (http://adcycle.com)
Severity: Remote; Attacker may gain AdCycle administrator status
Versions Affected: Versions up to and including 1.15
Vendor Status: Vendor contacted; has released new version, 1.16, which is=20
not vulnerable
Cause: Failure to validate input
In Short: AdCycle does not propely validate the user input. This input is=20
used to form SQL commands, which are passed to a mySQL database. By=20
submitting cleverly crafted input, an attacker can bypass the administrator=
=20
password check.
The current version of this document is available at=20
http://qDefense.com/Advisories/QDAV-2001-7-2.html.
Details:
In file AdLogin.pm, AdCycle uses the following SQL command to authenticate=
=20
a user signing in:
"SELECT * FROM ad WHERE LOGIN=3D'$account' AND PASSWORD=3D'$password'"
If an attacker signs in, using a account name of "ADMIN" and a password of
X ' OR 1 #
an attacker can cause AdCycle to use the following SQL command:
"SELECT * FROM ad WHERE LOGIN=3D'ADMIN' AND PASSWORD=3D'X' OR 1 #'
The pound sign cause mySQL to ignore the trailing single quote.
Since anything OR 1 is true, the query will return a recordset, and AdCycle=
=20
will think that the attacker has authenticated as administrator.
Administrator status allows one to modify the various ads. qDefense has not=
=20
determined if an attacker can cause command execution using this technique.
Solution:
AdCylce has released an upgrade, version 1.16, which validates user input.
qDefense would like to thank AdCycle for their prompt response on this=
issue.
=A9 2001 qDefense Information Security Consultants. qDefense is a subsidiary=
=20
of Computer Modeling Corp.
This document may be reproduced, in whole or in part, provided that no=20
modifications are made and that proper credit is given. Additionally, if it=
=20
is made available through hypertext, it must be accompanied by a link to=20
the qDefense web site, http://qdefense.com.
qDefense Advisories
[email protected]
qDefense - DEFENDING THE ELECTRONIC FRONTIER
qDefense offers a wide variety of security services
See http://qDefense.com/Services
