Advisory ID: HTB23209 Product: mAdserve=20 Vendor: MobFox Vulnerable Version(s): 2.0 and probably prior Tested Version: 2.0 Advisory Publication: March 26, 2014 [without technical details] Vendor Notification: March 26, 2014=20 Public Disclosure: April 16, 2014=20 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-2654 Risk Level: Medium=20 CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Solution Status: Solution Available Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w= ww.htbridge.com/advisory/ )=20 ---------------------------------------------------------------------------= -------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple SQL injection vu= lnerabilities in mAdserve, which can be exploited to execute arbitrary SQL = commands in application=E2=80=99s database and compromise vulnerable websit= e. 1) SQL Injection in mAdserve: CVE-2014-2654 1.1 The vulnerability exists due to insufficient sanitization of user Input= passed via the "id" HTTP GET parameter to "/www/cp/edit_ad_unit.php" scrip= t. A remote authenticated attacker can inject and execute arbitrary SQL com= mands in application=E2=80=99s database and gain complete control over the = application. =20 The exploitation example below displays version of MySQL server: http://[host]/www/cp/edit_ad_unit.php?id=3D1%27%20UNION%20SELECT%201,2,3,4,= 5,6,7,8,9,10,11,version%28%29,13,14,15,16,17%20--%202 1.2 Input passed via the "id" HTTP GET parameter to "/www/cp/view_adunits= =2Ephp" script is not properly sanitised before being used in a SQL query= =2E A remote authenticated attacker can inject and execute arbitrary SQL co= mmands in application=E2=80=99s database and gain complete control over the= application.=20 The exploitation example below displays version of MySQL server: http://[host]/www/cp/view_adunits.php?id=3D1%27%20UNION%20SELECT%201,2,3,4,= version%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20= --%202 1.3 Input passed via the "id" HTTP GET parameter to "/www/cp/edit_campaign= =2Ephp" script is not properly sanitised before being used in a SQL query= =2E A remote authenticated attacker can inject and execute arbitrary SQL co= mmands in application=E2=80=99s database and gain complete control over the= application. The exploitation example below displays version of MySQL server: http://[host]/www/cp/edit_campaign.php?id=3D1%27%20UNION%20SELECT%201,2,3,4= ,version%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%2= 0--%202 Successful exploitation of these vulnerabilities requires the attacker to h= ave an account and to be logged in. User accounts are manually created by m= Adserve administrator.=20 ---------------------------------------------------------------------------= -------------------- Solution: Vendor did not reply to 3 notifications by email, 3 notifications via conta= ct form, 1 notification via twitter. Currently we are not aware of any offi= cial solution for this vulnerability. Unofficial patch was developed by High-Tech Bridge Security Research Lab an= d is available here: https://www.htbridge.com/advisory/HTB23209-patch.zip ---------------------------------------------------------------------------= -------------------- References: [1] High-Tech Bridge Advisory HTB23209 - https://www.htbridge.com/advisory/= HTB23209 - SQL Injection in mAdserve. [2] mAdserve - http://www.madserve.org/ - The Open Source Mobile Ad Server = for Publishers. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in= ternational in scope and free for public use, CVE=C2=AE is a dictionary of = publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to = developers and security practitioners, CWE is a formal list of software wea= kness types. [5] ImmuniWeb=C2=AE - https://portal.htbridge.com/ - is High-Tech Bridge's = proprietary web application security assessment solution with SaaS delivery= model that combines manual and automated vulnerability testing. ---------------------------------------------------------------------------= -------------------- Disclaimer: The information provided in this Advisory is provided "as is" a= nd without any warranty of any kind. Details of this Advisory may be update= d in order to provide as accurate information as possible. The latest versi= on of the Advisory is available on web page [1] in the References.