|
|
|
|
| |
| If the AdCycle installation process is not completed successfully, a malicious user may be able to obtain the management username/password. This is due to the fact that some CGIs that are left behind allow remote access to sensitive information such as administrative passwords, MySQL usernames/passwords, table names, etc. |
| |
Credit:
The information has been provided by The Pike and Mark Lastdrager.
|
| |
AdCycle is a banner management system that is written in Perl and uses MySQL for data storage. Installation is done by editing AdConfig.pm, creating a MySQL user/password/database and then running the build.cgi script. That script checks if the database connection is working (showing the username/password it reads from AdConfig.pm) and creating the tables within the database.
Exploit:
The exploit is quite simple: when the build.cgi remains executable by your HTTPd process after the installation, every internet user can view the output of it, including your manager password and database password. Attackers can delete, change and add banner campaigns. Another big problem is when build.cgi is called from a web browser, the AdCycle tables are dropped so all banner campaigns are lost.
Fix:
The installation instructions say you should set the build.cgi permissions to 750. That will prevent some problems of course, but is far from totally secure. When the owner of the scripts has the same gid as the HTTPd process, build.cgi is still executable for the evil outside world.
It is recommended that you remove all bits from build.cgi after a successful installation, or even completely remove the files.
|
|
|
|
|
