[UNIX] QwikAd Allows Malicious SQL Code Injection
From: support@securiteam.comDate: 12/27/01
- Previous message: support@securiteam.com: "[NEWS] Serious Security Flaw in Citrix Client"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 27 Dec 2001 08:18:57 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
QwikAd Allows Malicious SQL Code Injection
------------------------------------------------------------------------
SUMMARY
<http://virusexperts.com/qwikad.php> QwikAd is software written in Perl,
which uses DBI with MySQL driver to access database. A security
vulnerability in the product allows remote attackers to insert malicious
SQL statements into existing ones.
DETAILS
Vulnerable systems:
QwikAd version 1.0
QwikAd script:
Many values provided by client used in the SQL statements go through
'stripBad' filter, however the author of the program forget that
HTTP_REFERER data values that comes client can also contain malicious
code, and if it used inside an SQL statement (as in the case of QwikAd),
an attacker Can cause the program to execute malicious code.
Publishers script:
This is vulnerability best illustrated by the following example:
} elsif($cgi->param('action') eq 'exclude' && $cgi->param('exclude')) {
my $id = $cgi->param('exclude');
my ($ids) = query("SELECT exclude FROM publishers WHERE user='$user'");
if($ids =~ /$id/) {
$ids =~ s/,$id//;
$ids =~ s/$id,//;
} else {
$ids .= ",$id";
}
my @ids = split(',', $ids);
my $where = "UPDATE LOW_PRIORITY publishers SET exclude='";
foreach(@ids) {
$where .= "$_,";
}
$where =~ s/,$//;
$where .= "' WHERE user='$user'";
my $sth = $dbh->prepare($where);
The call to 'stripBad' filter has been obviously omitted here.
ADDITIONAL INFORMATION
The information has been provided by <mailto:GOBBLES@hushmail.com>
GOBBLES LABS.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Serious Security Flaw in Citrix Client"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
