PRODUCT
*******

AdRotate Pro
http://www.vanbrunt.com/adrotate/

This is used by a lot of sites out there in the wild.

DESCRIPTION
***********

AdRotate is ad rotating software written in Perl language, which uses DBI
with mysql driver to access database. Included with software is module
adrotate.pm which contains subroutine 'get_input' to process data fed by
client with GET or POST method. This module routine is accessed by many
AdRotate scripts and results are stored in associative array named 'in'.

AdRotate constructs a very many SQL statement with data taken straight
from
'in' without sanity checking. Thus it is possible to use SQL injection
attacks against AdRotate software to manipulate the server's database.

It may be possible to modify data in the database and then gain the
ability
to execute arbitrary commands on server by tricking calls to open() by the
software using famous pipe trick and such (second argument in all calls to
open() by AdRotate is otherwise safe due to hardcoded values or values
returned by database queries). These commands will be run under the
context
of webserver process (most likely 'nobody', 'www', etc.).

VENDOR NOTIFICATION
*******************

No time to notify vendor. This is marathon.


GOBBLES Labs
GOBBLES@hushmail.com
http://www.bugtraq.org/