OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rain Forest Puppy (rfpvulnwatch.org)
Date: Wed Dec 26 2001 - 16:22:47 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [[ RFP's note:

    The virusexperts.com site is not available at the moment, so I'm unable to
    verify the following advisory. Given the code presented and also given
    the other three recent CGI posts from gobbles, I'm willing to assume it's
    a vulnerability.

    Also keep in mind that while the Vulnwatch moderators have their own take
    on the disclosure process, how someone chooses to release an advisory (as
    in, whether or not they contact the vendor) is up to them. It's still a
    free country (last time I checked), and their choice is not the
    responsibility of the moderators. ]]

    --------------------------------------------------------------------------

    If I let you, you would make me destroy myself
    In order to survive you, I must first survive myself
    I can sink no further, and I cannot forgive you
    There's no choice but to confront you, to engage you, to erase you
    I've gone to great lengths to expand my threshold of pain
    I will use my mistakes against you...

    PRODUCT
    *******

    QwikAd
    http://virusexperts.com/

    DESCRIPTION
    ***********

    QwikAd is software written in Perl language, which uses DBI with mysql
    driver to access database.

    Many SQL statements are protected from malicious SQL injection by
    penetrator, but he can still make he big dollar other ways...

    sub stripBad {
     my $x = $_[0];
     $x =~ s/(\\|\"|\'|\/)//g;
     return $x;
    }

    OVERSIGHT 1 - qwikad script

    Many value provided by client used in SQL statement go through 'stripBad'
    filter, but programmer forget that HTTP_REFERER come from client and there
    are instances in 'qwikad' Perl script where this is plugged straight into
    SQL statement.

    OVERSIGHT 2 - publishers script

    This one best to be showed with code snippet:

    } elsif($cgi->param('action') eq 'exclude' && $cgi->param('exclude')) {
     my $id = $cgi->param('exclude');
     my ($ids) = query("SELECT exclude FROM publishers WHERE user='$user'");
     if($ids =~ /$id/) {
       $ids =~ s/,$id//;
       $ids =~ s/$id,//;
     } else {
       $ids .= ",$id";
     }
     my ids = split(',', $ids);
     my $where = "UPDATE LOW_PRIORITY publishers SET exclude='";
     foreach(ids) {
       $where .= "$_,";
     }
     $where =~ s/,$//;
     $where .= "' WHERE user='$user'";
     my $sth = $dbh->prepare($where);

    Call to 'stripBad' filter omitted there. This is ridiculous. Security
    consultant can now continue to profit on insecurity :~(

    VENDOR NOTIFICATION
    *******************

    Hehehe, it's Christmas. Who going to be there to check email? Only way is to
    hope some of programmer Atheist friends read Bugtraq and can make urgent
    call to programmer interrupting his family dinner and dragging him to
    computer where he need to fix this vulnerability pronto. Enjoy the turkey.

    GOBBLES LABS
    GOBBLEShushmail.com
    http://www.bugtraq.org/