AdRotate 3.9.4 SQL Injection Vulnerability



EKU-ID: 3834 CVE: 2014-1854 OSVDB-ID:
Author: High-Tech Bridge Published: 2014-02-24 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Vendor: AJdG Solutions
Vulnerable Version(s): 3.9.4 and probably prior
Tested Version: 3.9.4
Advisory Publication:  January 30, 2014  [without technical details]
Vendor Notification: January 30, 2014 
Vendor Patch: January 31, 2014 
Public Disclosure: February 20, 2014 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-1854
Risk Level: High 
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/
  
-----------------------------------------------------------------------------------------------
  
Advisory Details:
  
High-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks.
  
  
1) SQL Injection in AdRotate: CVE-2014-1854
  
The vulnerability exists due to insufficient validation of "track" HTTP GET parameter passed to
 "/wp-content/plugins/adrotate/library/clicktracker.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
  
The following PoC code contains a base64-encoded string "-1 UNION SELECT version(),1,1,1", which will be injected into SQL query and will output MySQL server version:
  
http://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==
  
Successful exploitation will result in redirection to local URI that contains version of the MySQL server:
http://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log
  
  
-----------------------------------------------------------------------------------------------
  
Solution:
  
Update to AdRotate 3.9.5
  
More Information:
http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/
http://wordpress.org/plugins/adrotate/changelog/
http://www.adrotateplugin.com/development/