Adcycle Password Disclosure Vulnerability

Adcycle is a banner advertisement administration tool from It utilizes a connection to a MySQL database to manage and display clickable advertisement banners.

Upon installation, Adcycle leaves permissions to its database configuration script 'build.cgi' accessible to remote users. This script is designed to assist in configuring the connection to Adcycle's MySQL database.

As part of this functionality, build.cgi outputs the applicable manager and database passwords.

Normally, this script would be disabled prior to the completion of the installation. However, it remains executable by the host's httpd process. By executing this script, a remote user can obtain the management password and gain access to Adcycle's configuration, allowing the addition, modification or deletion of ad campaigns. A user may also further compromise the software package and possibly the underlying system with the MySQL database password.

In addition, when the script is executed, the AdCycle tables are wiped out. This could lead to a loss of data and/or denial of service.


Privacy Statement
Copyright 2010, SecurityFocus