Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   AdRotate Pro Vendors:   VanBrunt, Les
AdRotate Pro Perl-based Banner Management Utility Has Input Validation Flaw That Lets Remote Users Modify the Underlying Database and May Let Remote Users Execute Arbitrary Code on the Web Server
SecurityTracker Alert ID:  1003046
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 24 2001
Impact:   Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  

Description:   GOBBLES Research reported a vulnerability in AdRotate Pro, a banner advertisement management system. A remote user can manipulate the underlying SQL database and may be able to execute arbitrary code on the web server.

The vulnerability is reportedly due to an input validation flaw in the module. The 'get_input' subroutine apparently does not filter user-supplied input from GET and POST requests. That data is subsequently used to construct SQL statements. As a result, a remote user can use SQL injection attacks against AdRotate to modify the server's database.

It may also be possible for the remote user to execute arbitrary commands on the system.

Impact:   A remote user can manipulate the underlying MySQL database and may also be able to execute arbitrary commands on the web server with the privileges of the web server.
Solution:   No solution was available at the time of this entry.

The vendor is reportedly aware of the issue and working on a fix.

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents



AdRotate Pro 

This is used by a lot of sites out there in the wild. 


AdRotate is ad rotating software written in Perl language, which uses DBI
with mysql driver to access database. Included with software is module which contains subroutine 'get_input' to process data fed by
client with GET or POST method. This module routine is accessed by many
AdRotate scripts and results are stored in associative array named 'in'. 

AdRotate constructs a very many SQL statement with data taken straight from
'in' without sanity checking. Thus it is possible to use SQL injection
attacks against AdRotate software to manipulate the server's database. 

It may be possible to modify data in the database and then gain the ability
to execute arbitrary commands on server by tricking calls to open() by the
software using famous pipe trick and such (second argument in all calls to
open() by AdRotate is otherwise safe due to hardcoded values or values
returned by database queries). These commands will be run under the context
of webserver process (most likely 'nobody', 'www', etc.). 


No time to notify vendor. This is marathon. 



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC