PRODUCT ******* AdRotate Pro http://www.vanbrunt.com/adrotate/ This is used by a lot of sites out there in the wild. DESCRIPTION *********** AdRotate is ad rotating software written in Perl language, which uses DBI with mysql driver to access database. Included with software is module adrotate.pm which contains subroutine 'get_input' to process data fed by client with GET or POST method. This module routine is accessed by many AdRotate scripts and results are stored in associative array named 'in'. AdRotate constructs a very many SQL statement with data taken straight from 'in' without sanity checking. Thus it is possible to use SQL injection attacks against AdRotate software to manipulate the server's database. It may be possible to modify data in the database and then gain the ability to execute arbitrary commands on server by tricking calls to open() by the software using famous pipe trick and such (second argument in all calls to open() by AdRotate is otherwise safe due to hardcoded values or values returned by database queries). These commands will be run under the context of webserver process (most likely 'nobody', 'www', etc.). VENDOR NOTIFICATION ******************* No time to notify vendor. This is marathon. GOBBLES Labs GOBBLESat_private http://www.bugtraq.org/
This archive was generated by hypermail 2b30 : Sun Dec 23 2001 - 21:39:32 PST