COMMAND

    AdCycle

SYSTEMS AFFECTED

    AdCycle

PROBLEM

    Mark Lastdrager  posted following.   "The Pike"  pointed us  at  a
    problem  in  the  AdCycle  banner  management  system.   When  the
    installation of  AdCycle is  not completed  carefully, a malicious
    user may be able to obtain the management username/password.

    Adcycle is a banner management system which is written in Perl and
    uses MySQL  for data  storage.   Installation is  done by  editing
    AdConfig.pm,  creating  a  Mysql  user/password/database  and then
    running the build.cgi script.  That script checks if the  database
    connection  is  working  (showing  the  username/password it reads
    from AdConfig.pm)  and creating  the tables  within the  database.
    The  'exploit'  is  quite  simple:  when  the  build.cgi   remains
    executable for  your httpd  process after  the installation, every
    internet user can  view the output  of it, including  your manager
    password and database password.  Attackers can delete, change  and
    add banner campaigns.   Another big problem  is when build.cgi  is
    called from a  webbrowser, the AdCycle  tables are dropped  so all
    bannercampaigns are lost.

SOLUTION

    The installation  instructions say  you should  set the  build.cgi
    permissions to  750.   That will  prevent some  problems ofcourse,
    but is far  from totally secure.   When the owner  of the  scripts
    for example has  the same gid  as the httpd  process, build.cgi is
    still  executable  for  the  evil  outside world.  Everyone should
    remove  all  bits  from  build.cgi  after  a succesful install, or
    even completely remove  it.  Maybe  the AdCycle makers  planned to
    put that  advice in  chapter 12  of the  UNIX installation  notes,
    which seems to be missing.