[FD] [REVIVE-SA-2021-002] Revive Adserver Vulnerabilities
Revive Adserver Security Advisory REVIVE-SA-2021-002
https://www.revive-adserver.com/security/revive-sa-2021-002
CVE-IDs: CVE-2021-22874, CVE-2021-22875
Date: 2020-01-26
Risk Level:Low
Applications affected: Revive Adserver
Versions affected: <= 5.1.0
Versions not affected: >= 5.1.1
Website: https://www.revive-adserver.com/
Vulnerability 1 - Reflected XSS
Vulnerability Type:Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79]
CVE-ID:CVE-2021-22874
CVSS Base Score: 4.3
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore: 1.4
CVSS Exploitability Subscore: 2.8
Description
---
Security researcher Alexey Solovyev (solov9ev) has discovered a
reflected XSS vulnerability in userlog-index.php. An attacker could
trick a user with access to the user interface of a Revive Adserver
instance into clicking on a specifically crafted URL and execute
injected JavaScript code.
Details
---
The period_preset parameter was not fully escaped in userlog-index.php
(and possibly other scripts) when printed it in a JavaScript context,
allowing an attacker to work around the existing escaping with the
injection of a closing tag. That allows to append other
malicious HTML and/or JavaScript code. What could be injected is limited
by the existing escaping and the session cookie cannot be accessed or
stolen via JavaScript.
References
--
https://hackerone.com/reports/1083231
https://github.com/revive-adserver/revive-adserver/commit/e2a67ce8
https://cwe.mitre.org/data/definitions/79.html
Vulnerability 2 - Reflected XSS
Vulnerability Type:Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79]
CVE-ID:CVE-2021-22875
CVSS Base Score: 4.3
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore: 1.4
CVSS Exploitability Subscore: 2.8
Description
---
Security researcher Alexey Solovyev (solov9ev) has discovered a
reflected XSS vulnerability in stats.php. An attacker could trick a user
with access to the user interface of a Revive Adserver instance into
clicking on a specifically crafted URL and pressing a certain key
combination to execute injected JavaScript code.
Details
---
The setPerPage parameter was not fully escaped in stats.php (and
possibly other scripts) when printed it in an HTML attribute, allowing
an attacker to work around the existing escaping and to inject other
HTML attributes. The published exploit requires the victim to press a
complex combination of keys to execute JavaScript code injected as
onclick attribute of a hidden form field. Again, the session cookie
cannot be accessed or stolen via JavaScript.
References
--
https://hackerone.com/reports/1083376
https://github.com/revive-adserver/revive-adserver/commit/6f46076a
https://cwe.mitre.org/data/definitions/79.html
Solution
We strongly advise people to upgrade to the most recent 5.1.1 version of
Revive Adserver.
Contact Information
The security contact for Revive Adserver can be reached at:
.
Please review https://www.revive-adserver.com/security/ before doing so.
--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/
OpenPGP_signature
Description: OpenPGP digital signature
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [REVIVE-SA-2021-001] Revive Adserver Vulnerabilities
Revive Adserver Security Advisory REVIVE-SA-2021-001
https://www.revive-adserver.com/security/revive-sa-2021-001
CVE-IDs: CVE-2021-22871, CVE-2021-22872, CVE-2021-22873
Date: 2020-01-19
Risk Level:Low
Applications affected: Revive Adserver
Versions affected: <= 5.0.5
Versions not affected: >= 5.1.0
Website: https://www.revive-adserver.com/
Vulnerability 1 - Persistent XSS
Vulnerability Type:Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79]
CVE-ID:CVE-2021-22871
CVSS Base Score: 3.5
CVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CVSS Impact Subscore: 2.5
CVSS Exploitability Subscore: 0.9
Description
---
A persistent XSS vulnerability has been discovered by security
researcher Keyur Vala. An attacker with manager account credential could
store HTML code in a website property, which could subsequently been
displayed unescaped on a specific page by other users in the system.
Details
---
Any user with a manager account could store specifically crafted content
in the URL website property which was then displayed unsanitised in the
affiliate-preview.php tag generation screen, potentially by other users
in the system, allowing a persistent XSS attack to take place.
The target users would however mostly have access to the same resources
as the attacker, so the practical applications are not considered
particularly harmful, especially since the session cookie cannot be
accessed via JavaScript.
References
--
https://hackerone.com/reports/819362
https://github.com/revive-adserver/revive-adserver/commit/89b88ce26
https://github.com/revive-adserver/revive-adserver/commit/62a2a0439
https://cwe.mitre.org/data/definitions/79.html
Vulnerability 2 - Reflected XSS
Vulnerability Type:Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79]
CVE-ID:CVE-2021-22872
CVSS Base Score: 4.3
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore: 1.4
CVSS Exploitability Subscore: 2.8
Description
---
Security researcher Axel Flamcourt has discovered that the fix for the
reflected XSS vulnerability in REVIVE-SA-2020-001 could be bypassed on
older browsers with specifically crafted payloads to the publicly
accessible afr.php delivery script of Revive Adserver. The practical
applications are not considered particularly harmful, especially since
the session cookie cannot be accessed via JavaScript.
Details
---
The previous fix was working on most modern browsers, but some older
browsers are not automatically url-encoding parameters and would leave
an opportunity to inject closing and opening script tags and achieve
reflected XSS attacks e.g. on IE11.
References
--
https://hackerone.com/reports/986365
https://www.revive-adserver.com/security/revive-sa-2020-001
https://github.com/revive-adserver/revive-adserver/commit/00fdb8d0e
https://github.com/revive-adserver/revive-adserver/commit/1dbcf7d50
https://cwe.mitre.org/data/definitions/79.html
Vulnerability 3 - Open Redirect
Vulnerability Type:URL Redirection to Untrusted Site
('Open Redirect') [CWE-601]
CVE-ID:CVE-2021-22873
CVSS Base Score: 5.4
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Impact Subscore: 2.5
CVSS Exploitability Subscore: 2.8
Description
---
An opportunity for open redirects has been available by design since the
early versions of Revive Adserver's predecessors in the impression and
click tracking scripts to allow third party ad servers to track such
metrics when delivering ads. Historically the display advertising
industry has considered that to be a feature, not a real vulnerability.
Things have evolved since then and third party click tracking via
redirects is not a viable option anymore, therefore any functionality
[FD] [REVIVE-SA-2020-002] Revive Adserver Vulnerabilities
Revive Adserver Security Advisory REVIVE-SA-2020-002
https://www.revive-adserver.com/security/revive-sa-2020-002
CVE-IDs: t.b.a.
Date: 2020-03-12
Risk Level:Low
Applications affected: Revive Adserver
Versions affected: <= 5.0.4
Versions not affected: >= 5.0.5
Website: https://www.revive-adserver.com/
Vulnerability 1 - Security restriction bypass
Vulnerability Type:Incorrect Authorization [CWE-863]
CVE-ID:t.b.a.
CVSS Base Score: 5.6
CVSSv3.1 Vector: AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS Impact Subscore: 5.2
CVSS Exploitability Subscore: 0.4
Description
---
A security restriction bypass vulnerability has been discovered by
HackerOne user hoangn144. Revive Adserver, like many other applications,
requires the logged in user to type the current password in order to
change the e-mail address or the password. It was however possible for
anyone with access to a Revive Adserver admin user interface to bypass
such check and change e-email address or password of the currently
logged in user by altering the form payload.
Details
---
The attack requires physical access to the user interface of a logged in
user. If the POST payload was altered by turning the "pwold" parameter
into an array, Revive Adserver would fetch and authorise the operation
even if no password was provided.
References
--
https://hackerone.com/reports/792895
https://github.com/revive-adserver/revive-adserver/commit/e2a519c3
https://cwe.mitre.org/data/definitions/863.html
Vulnerability 2 - Open Redirect
Vulnerability Type:URL Redirection to Untrusted Site
('Open Redirect') [CWE-601]
CVE-ID:t.b.a.
CVSS Base Score: 4.2
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS Impact Subscore: 2.5
CVSS Exploitability Subscore: 1.6
Description
---
An Open Redirect vulnerability was discovered and reported by HackerOne
user hoangn144. A remote attacker could trick logged-in users to open a
specifically crafted link and have them redirected to any destination.
Details
---
The CSRF protection of the "/www/admin/*-modify.php" could be skipped if
no meaningful parameter was sent. No action was performed, but the user
was still redirected to the target page, specified via the "returnurl"
GET parameter.
References
--
https://hackerone.com/reports/794144
https://github.com/revive-adserver/revive-adserver/commit/05fcd364
https://cwe.mitre.org/data/definitions/601.html
Solution
We strongly advise people to upgrade to the most recent 5.0.5 version of
Revive Adserver.
Contact Information
The security contact for Revive Adserver can be reached at:
.
Please review https://www.revive-adserver.com/security/ before doing so.
--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/
signature.asc
Description: OpenPGP digital signature
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [REVIVE-SA-2019-002] Revive Adserver Vulnerability
Revive Adserver Security Advisory REVIVE-SA-2019-002 https://www.revive-adserver.com/security/revive-sa-2019-002 CVE-IDs: t.b.a. Date: 2019-05-21 Risk Level:High Applications affected: Revive Adserver Versions affected: < 4.2.1 Versions not affected: >= 4.2.1 Website: https://www.revive-adserver.com/ Vulnerability 1 - Use of Cryptographically Weak PRNG Vulnerability Type:Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) [CWE-388] CVE-ID:t.b.a. CVSS Base Score: 8.1 CVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Impact Subscore: 5.9 CVSS Exploitability Subscore: 2.2 Description --- A Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability has been discovered in the generation of the token used for the password recovery functionality of Revive Adserver by HackerOne user paulos_. Such vulnerability could be used to gain access to existing user accounts, if the attacker has access to the password recovery URL and knows or can guess the email address associated to the target account. Details --- An attacker could request a password reset for a known user account and exploit the usage of the weak uniqid() function to guess what the generated password recovery token could be. If successful, they could set a new password and gain access to the account. References -- https://hackerone.com/reports/576504 https://github.com/revive-adserver/revive-adserver/commit/51fef40 https://cwe.mitre.org/data/definitions/338.html Solution We strongly advise people to upgrade to the most recent 4.2.1 version of Revive Adserver. In case that is not immediately feasible, we especially recommend to delete or block the www/admin/password-recovery.php script. Contact Information The security contact for Revive Adserver can be reached at: . Please review https://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team https://www.revive-adserver.com/ signature.asc Description: OpenPGP digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [REVIVE-SA-2019-001] Revive Adserver - Multiple vulnerabilities
Revive Adserver Security Advisory REVIVE-SA-2019-001
https://www.revive-adserver.com/security/revive-sa-2019-001
CVE-IDs: t.b.a.
Date: 2019-04-23
Risk Level:High
Applications affected: Revive Adserver
Versions affected: < 4.2.0
Versions not affected: >= 4.2.0
Website: https://www.revive-adserver.com/
Vulnerability 1 - Deserialization of Untrusted Data
Vulnerability Type:Deserialization of Untrusted Data [CWE-502]
CVE-ID:t.b.a.
CVSS Base Score: 10
CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Impact Subscore: 6.0
CVSS Exploitability Subscore: 3.9
Description
---
A Deserialization of Untrusted Data vulnerability has been discovered in
the Revive Adserver’s delivery XML-RPC scripts. Such vulnerability could
be used to perform various types of attacks, e.g. exploit
serialize-related PHP vulnerabilities or PHP object injection.
It is possible, although unconfirmed, that the vulnerability has been
used by some attackers in order to gain access to some Revive Adserver
instances and deliver malware through them to third party websites.
Details
---
An attacker could send a specifically crafted payload to the XML-RPC
invocation script and trigger the unserialize() call using the "what"
parameter in the "openads.spc" RPC method of adxmlrpc.php and
www/delivery/axmlrpc.php. Likewise the www/delivery/dxmlrpc.php script
uses unserialize() on the first parameter of the "pluginExecute" method.
References
--
https://hackerone.com/reports/512076
https://hackerone.com/reports/542670
https://github.com/revive-adserver/revive-adserver/commit/dffed50
https://github.com/revive-adserver/revive-adserver/commit/a1c3db4
https://cwe.mitre.org/data/definitions/502.html
Vulnerability 2 - Open Redirect
Vulnerability Type:URL Redirection to Untrusted Site
('Open Redirect') [CWE-601]
CVE-ID:t.b.a.
CVSS Base Score: 4.2
CVSS v3 Vector:AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS Impact Subscore: 2.5
CVSS Exploitability Subscore: 1.6
Description
---
An Open Redirect vulnerability was discovered and reported by HackerOne
user Sammy (sumni). A remote attacker can trick logged-in user to open a
specially crafted link and have them redirected to any destination.
Details
---
Input passed via the "return_url" GET parameter to
"/www/admin/account-switch.php" script is not properly sanitised and
used to redirect the user to the target page.
References
--
https://github.com/revive-adserver/revive-adserver/commit/3db7aa0
https://cwe.mitre.org/data/definitions/601.html
Solution
We strongly advise people to upgrade to the most recent 4.2.0 version of
Revive Adserver. In case that is not immediately feasible, we especially
recommend to delete the adxmlrpc.php, www/delivery/axmlrpc.php and
www/delivery/dxmlrpc.php files.
Contact Information
The security contact for Revive Adserver can be reached at:
.
Please review https://www.revive-adserver.com/security/ before doing so.
--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/
signature.asc
Description: OpenPGP digital signature
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
