High-Tech Bridge Security Research Lab discovered multiple SQL injection vulnerabilities in mAdserve, which can be exploited to execute arbitrary SQL commands in application’s database and compromise vulnerable website.
1.2 Input passed via the “id” HTTP GET parameter to “/www/cp/view_adunits.php” script is not properly sanitised before being used in a SQL query. A remote authenticated attacker can inject and execute arbitrary SQL commands in application’s database and gain complete control over the application.
The exploitation example below displays version of MySQL server:
http://[host]/www/cp/view_adunits.php?id=1%27%20UNION%20SELECT%201,2,3,4,ver sion%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20–%2 02
1.3 Input passed via the “id” HTTP GET parameter to “/www/cp/edit_campaign.php” script is not properly sanitised before being used in a SQL query. A remote authenticated attacker can inject and execute arbitrary SQL commands in application’s database and gain complete control over the application.
The exploitation example below displays version of MySQL server:
http://[host]/www/cp/edit_campaign.php?id=1%27%20UNION%20SELECT%201,2,3,4,ve rsion%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20–% 202
Successful exploitation of these vulnerabilities requires the attacker to have an account and to be logged in. User accounts are manually created by mAdserve administrator.