SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   AdCycle Vendors:   AdCycle.com
AdCycle Lets Remote Users Bypass Authentication and Obtain Administrator Access
SecurityTracker Alert ID:  1002011
SecurityTracker URL:  http://securitytracker.com/id/1002011
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 16 2001
Impact:   User access via network

Version(s): up to and including 1.15
Description:   qDefense reported a vulnerability in AdCycle that lets remote users bypass the AdCycle administrator authentication mechanism and gain administrator access to the ad management system.

It is reported AdCycle does not propely validate user-supplie input that is used to form SQL commands. A remote user can create a specially crafted input to bypass the administrator authentication mechanisms.

The vulnerability reportedly exists in the file 'AdLogin.pm', where the following SQL command is used to authenticate a remote user:

"SELECT * FROM ad WHERE LOGIN='$account' AND PASSWORD='$password'"

If a remote user supplies an account name of "ADMIN" and a password of X ' OR 1 #, the remote user will cause AdCycle to use the following SQL command:
"SELECT * FROM ad WHERE LOGIN='ADMIN' AND PASSWORD='X' OR 1 #'

The pound sign reportedly causes the back end MySQL database to ignore the trailing single quote. The database will return a recordset and AdCycle will incorrectly conclude that the remote user is a valid authenticated administrator.

Administrator status reportedly allows a user to modify advertisements.
Impact:   A remote user can obtain administrative access to AdCycle and can modify web site advertisements.
Solution:   The vendor has released a new version (1.16).
Vendor URL:  www.adcycle.com/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.

 Source Message Contents
Date:  Fri, 13 Jul 2001 12:18:12 -0400
Subject:  AdCycle SQL Command Insertion Vulnerability - qDefense



AdCycle SQL Command Insertion Vulnerability
qDefense Advisory Number QDAV-2001-7-2

Product: AdCycle

Vendor: AdCyle (http://adcycle.com)

Severity: Remote; Attacker may gain AdCycle administrator status

Versions Affected: Versions up to and including 1.15

Vendor Status: Vendor contacted; has released new version, 1.16, which is 
not vulnerable

Cause: Failure to validate input

In Short: AdCycle does not propely validate the user input. This input is 
used to form SQL commands, which are passed to a mySQL database. By 
submitting cleverly crafted input, an attacker can bypass the administrator 
password check.


The current version of this document is available at 
http://qDefense.com/Advisories/QDAV-2001-7-2.html.

Details:
In file AdLogin.pm, AdCycle uses the following SQL command to authenticate 
a user signing in:

"SELECT * FROM ad WHERE LOGIN='$account' AND PASSWORD='$password'"

If an attacker signs in, using a account name of "ADMIN" and a password of
  X ' OR 1 #
an attacker can cause AdCycle to use the following SQL command:
"SELECT * FROM ad WHERE LOGIN='ADMIN' AND PASSWORD='X' OR 1 #'

The pound sign cause mySQL to ignore the trailing single quote.
Since anything OR 1 is true, the query will return a recordset, and AdCycle 
will think that the attacker has authenticated as administrator.

Administrator status allows one to modify the various ads. qDefense has not 
determined if an attacker can cause command execution using this technique.

Solution:

AdCylce has released an upgrade, version 1.16, which validates user input.

qDefense would like to thank AdCycle for their prompt response on this issue.




© 2001 qDefense Information Security Consultants. qDefense is a subsidiary 
of Computer Modeling Corp.
This document may be reproduced, in whole or in part, provided that no 
modifications are made and that proper credit is given. Additionally, if it 
is made available through hypertext, it must be accompanied by a link to 
the qDefense web site, http://qdefense.com.
qDefense Advisories
advisories@qDefense.com
qDefense - DEFENDING THE ELECTRONIC FRONTIER

qDefense offers a wide variety of security services
See http://qDefense.com/Services


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC