If I let you, you would make me destroy myself
In order to survive you, I must first survive myself
I can sink no further, and I cannot forgive you
There's no choice but to confront you, to engage you, to erase you
I've gone to great lengths to expand my threshold of pain
I will use my mistakes against you...

PRODUCT
*******

QwikAd
http://virusexperts.com/

DESCRIPTION
***********

QwikAd is software written in Perl language, which uses DBI with mysql
driver to access database.

Many SQL statements are protected from malicious SQL injection by
penetrator, but he can still make he big dollar other ways...

sub stripBad {
 my $x = $_[0];
 $x =~ s/(\\|\"|\'|\/)//g;
 return $x;


OVERSIGHT 1 - qwikad script

Many value provided by client used in SQL statement go through 'stripBad'
filter, but programmer forget that HTTP_REFERER come from client and there
are instances in 'qwikad' Perl script where this is plugged straight into
SQL statement.

OVERSIGHT 2 - publishers script

This one best to be showed with code snippet:

} elsif($cgi->param('action') eq 'exclude' && $cgi->param('exclude')) {
 my $id = $cgi->param('exclude');
 my ($ids) = query("SELECT exclude FROM publishers WHERE user='$user'");
 if($ids =~ /$id/) {
   $ids =~ s/,$id//;
   $ids =~ s/$id,//;
 } else {
   $ids .= ",$id";
 }
 my @ids = split(',', $ids);
 my $where = "UPDATE LOW_PRIORITY publishers SET exclude='";
 foreach(@ids) {
   $where .= "$_,";
 }
 $where =~ s/,$//;
 $where .= "' WHERE user='$user'";
 my $sth = $dbh->prepare($where);

Call to 'stripBad' filter omitted there. This is ridiculous. Security
consultant can now continue to profit on insecurity :~(

VENDOR NOTIFICATION
*******************

Hehehe, it's Christmas. Who going to be there to check email? Only way is
to hope some of programmer Atheist friends read Bugtraq and can make urgent
call to programmer interrupting his family dinner and dragging him to
computer where he need to fix this vulnerability pronto. Enjoy the turkey.

GOBBLES LABS
GOBBLES@hushmail.com
http://www.bugtraq.org/