Home page logo
/

bugtraq logo Bugtraq mailing list archives

security problem in AdCycle installation
From: Mark Lastdrager <mark () PINE NL>
Date: Mon, 20 Nov 2000 20:25:14 +0100

(resubmitting because it's not clear if the last try survived through some
ORBS filters)

Hi,

"The Pike" (thepike () hotmail com) pointed us at a problem in the AdCycle
banner management system. When the installation of AdCycle is not
completed carefully, a malicious user may be able to obtain the management
username/password.

Adcycle is a banner management system which is written in Perl and uses
MySQL for data storage. Installation is done by editing AdConfig.pm,
creating a Mysql user/password/database and then running the build.cgi
script. That script checks if the database connection is working (showing
the username/password it reads from AdConfig.pm) and creating the tables
within the database. The 'exploit' is quite simple: when the build.cgi
remains executable for your httpd process after the installation, every
internet user can view the output of it, including your manager password
and database password. Attackers can delete, change and add banner
campaigns. Another big problem is when build.cgi is called from a
webbrowser, the AdCycle tables are dropped so all bannercampaigns are
lost.

FIX:

The installation instructions say you should set the build.cgi permissions
to 750. That will prevent some problems ofcourse, but is far from totally
secure. When the owner of the scripts for example has the same gid as the
httpd process, build.cgi is still executable for the evil outside world. I
think everyone should remove all bits from build.cgi after a succesful
install, or even completely remove it. Maybe the AdCycle makers planned to
put that advice in chapter 12 of the UNIX installation notes, which seems
to be missing (see
http://www.adcycle.com/help/messages/5/5.html?950947770). I guess a
chapter about security would be more than welcome.

We decided to publish this advisory instead of informing the author first,
because the above information is already out there and being exploited.
Besides that, the fix is quite simple (chmod 0 build.cgi) so no need to
wait for a patch or new version. Author will be cc'ed on this post
ofcourse.

Thanks to The Pike for showing how important it is to carefully check all
software you install ;-)


Mark Lastdrager

--
Pine Internet BV ::  tel. +31-70-3111010 ::  fax. +31-70-3111011
PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1
Today's excuse: Vendor no longer supports the product


  By Date           By Thread  

Current thread:
  • security problem in AdCycle installation Mark Lastdrager (Nov 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]