AdRotate 3.9.4 SQL Injection Vulnerability

ID 1337DAY-ID-21932
Type zdt
Reporter High-Tech Bridge
Modified 2014-02-21T00:00:00


AdRotate version 3.9.4 suffers from a remote SQL injection vulnerability.

                                            Vendor: AJdG Solutions
Vulnerable Version(s): 3.9.4 and probably prior
Tested Version: 3.9.4
Advisory Publication:  January 30, 2014  [without technical details]
Vendor Notification: January 30, 2014 
Vendor Patch: January 31, 2014 
Public Disclosure: February 20, 2014 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-1854
Risk Level: High 
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( ) 


Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks.

1) SQL Injection in AdRotate: CVE-2014-1854

The vulnerability exists due to insufficient validation of "track" HTTP GET parameter passed to
 "/wp-content/plugins/adrotate/library/clicktracker.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.

The following PoC code contains a base64-encoded string "-1 UNION SELECT version(),1,1,1", which will be injected into SQL query and will output MySQL server version:


Successful exploitation will result in redirection to local URI that contains version of the MySQL server:



Update to AdRotate 3.9.5

More Information:

# [2018-04-09]  #