SQL Injection in mAdserve

High-Tech Bridge Security Research Lab discovered multiple SQL injection vulnerabilities in mAdserve, which can be exploited to execute arbitrary SQL commands in application’s database and compromise vulnerable website.

1. SQL Injection in mAdserve: CVE-2014-2654
   1.1 The vulnerability exists due to insufficient sanitization of user Input passed via the “id” HTTP GET parameter to “/www/cp/edit_ad_unit.php” script. A remote authenticated attacker can inject and execute arbitrary SQL commands in application’s database and gain complete control over the application.
   The exploitation example below displays version of MySQL server:
   http://[host]/www/cp/edit_ad_unit.php?id=1%27%20UNION%20SELECT%201,2,3,4,5,6 ,7,8,9,10,11,version%28%29,13,14,15,16,17%20–%202

1.2 Input passed via the “id” HTTP GET parameter to “/www/cp/view_adunits.php” script is not properly sanitised before being used in a SQL query. A remote authenticated attacker can inject and execute arbitrary SQL commands in application’s database and gain complete control over the application.
The exploitation example below displays version of MySQL server:
http://[host]/www/cp/view_adunits.php?id=1%27%20UNION%20SELECT%201,2,3,4,ver sion%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20–%2 02

1.3 Input passed via the “id” HTTP GET parameter to “/www/cp/edit_campaign.php” script is not properly sanitised before being used in a SQL query. A remote authenticated attacker can inject and execute arbitrary SQL commands in application’s database and gain complete control over the application.
The exploitation example below displays version of MySQL server:
http://[host]/www/cp/edit_campaign.php?id=1%27%20UNION%20SELECT%201,2,3,4,ve rsion%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20–% 202

Successful exploitation of these vulnerabilities requires the attacker to have an account and to be logged in. User accounts are manually created by mAdserve administrator.