Vulners
Lucene search
AdRotate 3.9.4 SQL Injection Vulnerability
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | CVE-2014-1854 | 22 Feb 201400:00 | – | circl |
 | WordPress Plugin AdRotate SQL Injection (CVE-2014-1854) | 4 Mar 201400:00 | – | checkpoint_advisories |
 | CVE-2014-1854 | 27 Feb 201415:00 | – | cve |
 | CVE-2014-1854 | 27 Feb 201415:00 | – | cvelist |
 | AdRotate library/clicktracker.php track Parameter SQL Injection | 4 Mar 201400:00 | – | dsquare |
 | WordPress Plugin AdRotate 3.9.4 - 'clicktracker.ph?track' SQL Injection | 22 Feb 201400:00 | – | exploitdb |
 | WordPress Plugin AdRotate 3.9.4 - clicktracker.ph?track SQL Injection | 22 Feb 201400:00 | – | exploitpack |
 | SQL Injection in AdRotate | 30 Jan 201400:00 | – | htbridge |
 | CVE-2014-1854 | 27 Feb 201415:55 | – | nvd |
 | WordPress AdRotate Plugin 'clicktracker.php' SQL Injection Vulnerability | 11 Mar 201400:00 | – | openvas |
10
Vendor: AJdG Solutions
Vulnerable Version(s): 3.9.4 and probably prior
Tested Version: 3.9.4
Advisory Publication: January 30, 2014 [without technical details]
Vendor Notification: January 30, 2014
Vendor Patch: January 31, 2014
Public Disclosure: February 20, 2014
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-1854
Risk Level: High
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks.
1) SQL Injection in AdRotate: CVE-2014-1854
The vulnerability exists due to insufficient validation of "track" HTTP GET parameter passed to
"/wp-content/plugins/adrotate/library/clicktracker.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
The following PoC code contains a base64-encoded string "-1 UNION SELECT version(),1,1,1", which will be injected into SQL query and will output MySQL server version:
http://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==
Successful exploitation will result in redirection to local URI that contains version of the MySQL server:
http://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log
-----------------------------------------------------------------------------------------------
Solution:
Update to AdRotate 3.9.5
More Information:
http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/
http://wordpress.org/plugins/adrotate/changelog/
http://www.adrotateplugin.com/development/
# 0day.today [2018-04-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Feb 2014 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.0992