|
|
|
|
| |
| QwikAd is software written in Perl, which uses DBI with MySQL driver to access database. A security vulnerability in the product allows remote attackers to insert malicious SQL statements into existing ones. |
| |
Credit:
The information has been provided by GOBBLES LABS.
|
| |
Vulnerable systems:
QwikAd version 1.0
QwikAd script:
Many values provided by client used in the SQL statements go through 'stripBad' filter, however the author of the program forget that HTTP_REFERER data values that comes client can also contain malicious code, and if it used inside an SQL statement (as in the case of QwikAd), an attacker Can cause the program to execute malicious code.
Publishers script:
This is vulnerability best illustrated by the following example:
} elsif($cgi->param('action') eq 'exclude' && $cgi->param('exclude')) {
my $id = $cgi->param('exclude');
my ($ids) = query("SELECT exclude FROM publishers WHERE user='$user'");
if($ids =~ /$id/) {
$ids =~ s/,$id//;
$ids =~ s/$id,//;
} else {
$ids .= ",$id";
}
my @ids = split(',', $ids);
my $where = "UPDATE LOW_PRIORITY publishers SET exclude='";
foreach(@ids) {
$where .= "$_,";
}
$where =~ s/,$//;
$where .= "' WHERE user='$user'";
my $sth = $dbh->prepare($where);
The call to 'stripBad' filter has been obviously omitted here.
|
|
|
|
|
