Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: security problem in AdCycle installation
From: Mark Lastdrager (markPINE.NL)
Date: Mon Nov 20 2000 - 13:25:14 CST

(resubmitting because it's not clear if the last try survived through some
ORBS filters)


"The Pike" (thepikehotmail.com) pointed us at a problem in the AdCycle
banner management system. When the installation of AdCycle is not
completed carefully, a malicious user may be able to obtain the management

Adcycle is a banner management system which is written in Perl and uses
MySQL for data storage. Installation is done by editing AdConfig.pm,
creating a Mysql user/password/database and then running the build.cgi
script. That script checks if the database connection is working (showing
the username/password it reads from AdConfig.pm) and creating the tables
within the database. The 'exploit' is quite simple: when the build.cgi
remains executable for your httpd process after the installation, every
internet user can view the output of it, including your manager password
and database password. Attackers can delete, change and add banner
campaigns. Another big problem is when build.cgi is called from a
webbrowser, the AdCycle tables are dropped so all bannercampaigns are


The installation instructions say you should set the build.cgi permissions
to 750. That will prevent some problems ofcourse, but is far from totally
secure. When the owner of the scripts for example has the same gid as the
httpd process, build.cgi is still executable for the evil outside world. I
think everyone should remove all bits from build.cgi after a succesful
install, or even completely remove it. Maybe the AdCycle makers planned to
put that advice in chapter 12 of the UNIX installation notes, which seems
to be missing (see
http://www.adcycle.com/help/messages/5/5.html?950947770). I guess a
chapter about security would be more than welcome.

We decided to publish this advisory instead of informing the author first,
because the above information is already out there and being exploited.
Besides that, the fix is quite simple (chmod 0 build.cgi) so no need to
wait for a patch or new version. Author will be cc'ed on this post

Thanks to The Pike for showing how important it is to carefully check all
software you install ;-)

Mark Lastdrager

Pine Internet BV ::  tel. +31-70-3111010 ::  fax. +31-70-3111011
PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1
Today's excuse: Vendor no longer supports the product