[FD] [REVIVE-SA-2021-002] Revive Adserver Vulnerabilities
Revive Adserver Security Advisory REVIVE-SA-2021-002 https://www.revive-adserver.com/security/revive-sa-2021-002 CVE-IDs: CVE-2021-22874, CVE-2021-22875 Date: 2020-01-26 Risk Level:Low Applications affected: Revive Adserver Versions affected: <= 5.1.0 Versions not affected: >= 5.1.1 Website: https://www.revive-adserver.com/ Vulnerability 1 - Reflected XSS Vulnerability Type:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] CVE-ID:CVE-2021-22874 CVSS Base Score: 4.3 CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Impact Subscore: 1.4 CVSS Exploitability Subscore: 2.8 Description --- Security researcher Alexey Solovyev (solov9ev) has discovered a reflected XSS vulnerability in userlog-index.php. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript code. Details --- The period_preset parameter was not fully escaped in userlog-index.php (and possibly other scripts) when printed it in a JavaScript context, allowing an attacker to work around the existing escaping with the injection of a closing tag. That allows to append other malicious HTML and/or JavaScript code. What could be injected is limited by the existing escaping and the session cookie cannot be accessed or stolen via JavaScript. References -- https://hackerone.com/reports/1083231 https://github.com/revive-adserver/revive-adserver/commit/e2a67ce8 https://cwe.mitre.org/data/definitions/79.html Vulnerability 2 - Reflected XSS Vulnerability Type:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] CVE-ID:CVE-2021-22875 CVSS Base Score: 4.3 CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Impact Subscore: 1.4 CVSS Exploitability Subscore: 2.8 Description --- Security researcher Alexey Solovyev (solov9ev) has discovered a reflected XSS vulnerability in stats.php. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and pressing a certain key combination to execute injected JavaScript code. Details --- The setPerPage parameter was not fully escaped in stats.php (and possibly other scripts) when printed it in an HTML attribute, allowing an attacker to work around the existing escaping and to inject other HTML attributes. The published exploit requires the victim to press a complex combination of keys to execute JavaScript code injected as onclick attribute of a hidden form field. Again, the session cookie cannot be accessed or stolen via JavaScript. References -- https://hackerone.com/reports/1083376 https://github.com/revive-adserver/revive-adserver/commit/6f46076a https://cwe.mitre.org/data/definitions/79.html Solution We strongly advise people to upgrade to the most recent 5.1.1 version of Revive Adserver. Contact Information The security contact for Revive Adserver can be reached at: . Please review https://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team https://www.revive-adserver.com/ OpenPGP_signature Description: OpenPGP digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [REVIVE-SA-2021-001] Revive Adserver Vulnerabilities
Revive Adserver Security Advisory REVIVE-SA-2021-001 https://www.revive-adserver.com/security/revive-sa-2021-001 CVE-IDs: CVE-2021-22871, CVE-2021-22872, CVE-2021-22873 Date: 2020-01-19 Risk Level:Low Applications affected: Revive Adserver Versions affected: <= 5.0.5 Versions not affected: >= 5.1.0 Website: https://www.revive-adserver.com/ Vulnerability 1 - Persistent XSS Vulnerability Type:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] CVE-ID:CVE-2021-22871 CVSS Base Score: 3.5 CVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N CVSS Impact Subscore: 2.5 CVSS Exploitability Subscore: 0.9 Description --- A persistent XSS vulnerability has been discovered by security researcher Keyur Vala. An attacker with manager account credential could store HTML code in a website property, which could subsequently been displayed unescaped on a specific page by other users in the system. Details --- Any user with a manager account could store specifically crafted content in the URL website property which was then displayed unsanitised in the affiliate-preview.php tag generation screen, potentially by other users in the system, allowing a persistent XSS attack to take place. The target users would however mostly have access to the same resources as the attacker, so the practical applications are not considered particularly harmful, especially since the session cookie cannot be accessed via JavaScript. References -- https://hackerone.com/reports/819362 https://github.com/revive-adserver/revive-adserver/commit/89b88ce26 https://github.com/revive-adserver/revive-adserver/commit/62a2a0439 https://cwe.mitre.org/data/definitions/79.html Vulnerability 2 - Reflected XSS Vulnerability Type:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] CVE-ID:CVE-2021-22872 CVSS Base Score: 4.3 CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Impact Subscore: 1.4 CVSS Exploitability Subscore: 2.8 Description --- Security researcher Axel Flamcourt has discovered that the fix for the reflected XSS vulnerability in REVIVE-SA-2020-001 could be bypassed on older browsers with specifically crafted payloads to the publicly accessible afr.php delivery script of Revive Adserver. The practical applications are not considered particularly harmful, especially since the session cookie cannot be accessed via JavaScript. Details --- The previous fix was working on most modern browsers, but some older browsers are not automatically url-encoding parameters and would leave an opportunity to inject closing and opening script tags and achieve reflected XSS attacks e.g. on IE11. References -- https://hackerone.com/reports/986365 https://www.revive-adserver.com/security/revive-sa-2020-001 https://github.com/revive-adserver/revive-adserver/commit/00fdb8d0e https://github.com/revive-adserver/revive-adserver/commit/1dbcf7d50 https://cwe.mitre.org/data/definitions/79.html Vulnerability 3 - Open Redirect Vulnerability Type:URL Redirection to Untrusted Site ('Open Redirect') [CWE-601] CVE-ID:CVE-2021-22873 CVSS Base Score: 5.4 CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Impact Subscore: 2.5 CVSS Exploitability Subscore: 2.8 Description --- An opportunity for open redirects has been available by design since the early versions of Revive Adserver's predecessors in the impression and click tracking scripts to allow third party ad servers to track such metrics when delivering ads. Historically the display advertising industry has considered that to be a feature, not a real vulnerability. Things have evolved since then and third party click tracking via redirects is not a viable option anymore, therefore any functionality
[FD] [REVIVE-SA-2020-002] Revive Adserver Vulnerabilities
Revive Adserver Security Advisory REVIVE-SA-2020-002 https://www.revive-adserver.com/security/revive-sa-2020-002 CVE-IDs: t.b.a. Date: 2020-03-12 Risk Level:Low Applications affected: Revive Adserver Versions affected: <= 5.0.4 Versions not affected: >= 5.0.5 Website: https://www.revive-adserver.com/ Vulnerability 1 - Security restriction bypass Vulnerability Type:Incorrect Authorization [CWE-863] CVE-ID:t.b.a. CVSS Base Score: 5.6 CVSSv3.1 Vector: AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Impact Subscore: 5.2 CVSS Exploitability Subscore: 0.4 Description --- A security restriction bypass vulnerability has been discovered by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was however possible for anyone with access to a Revive Adserver admin user interface to bypass such check and change e-email address or password of the currently logged in user by altering the form payload. Details --- The attack requires physical access to the user interface of a logged in user. If the POST payload was altered by turning the "pwold" parameter into an array, Revive Adserver would fetch and authorise the operation even if no password was provided. References -- https://hackerone.com/reports/792895 https://github.com/revive-adserver/revive-adserver/commit/e2a519c3 https://cwe.mitre.org/data/definitions/863.html Vulnerability 2 - Open Redirect Vulnerability Type:URL Redirection to Untrusted Site ('Open Redirect') [CWE-601] CVE-ID:t.b.a. CVSS Base Score: 4.2 CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Impact Subscore: 2.5 CVSS Exploitability Subscore: 1.6 Description --- An Open Redirect vulnerability was discovered and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination. Details --- The CSRF protection of the "/www/admin/*-modify.php" could be skipped if no meaningful parameter was sent. No action was performed, but the user was still redirected to the target page, specified via the "returnurl" GET parameter. References -- https://hackerone.com/reports/794144 https://github.com/revive-adserver/revive-adserver/commit/05fcd364 https://cwe.mitre.org/data/definitions/601.html Solution We strongly advise people to upgrade to the most recent 5.0.5 version of Revive Adserver. Contact Information The security contact for Revive Adserver can be reached at: . Please review https://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team https://www.revive-adserver.com/ signature.asc Description: OpenPGP digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [REVIVE-SA-2019-002] Revive Adserver Vulnerability
Revive Adserver Security Advisory REVIVE-SA-2019-002 https://www.revive-adserver.com/security/revive-sa-2019-002 CVE-IDs: t.b.a. Date: 2019-05-21 Risk Level:High Applications affected: Revive Adserver Versions affected: < 4.2.1 Versions not affected: >= 4.2.1 Website: https://www.revive-adserver.com/ Vulnerability 1 - Use of Cryptographically Weak PRNG Vulnerability Type:Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) [CWE-388] CVE-ID:t.b.a. CVSS Base Score: 8.1 CVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Impact Subscore: 5.9 CVSS Exploitability Subscore: 2.2 Description --- A Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability has been discovered in the generation of the token used for the password recovery functionality of Revive Adserver by HackerOne user paulos_. Such vulnerability could be used to gain access to existing user accounts, if the attacker has access to the password recovery URL and knows or can guess the email address associated to the target account. Details --- An attacker could request a password reset for a known user account and exploit the usage of the weak uniqid() function to guess what the generated password recovery token could be. If successful, they could set a new password and gain access to the account. References -- https://hackerone.com/reports/576504 https://github.com/revive-adserver/revive-adserver/commit/51fef40 https://cwe.mitre.org/data/definitions/338.html Solution We strongly advise people to upgrade to the most recent 4.2.1 version of Revive Adserver. In case that is not immediately feasible, we especially recommend to delete or block the www/admin/password-recovery.php script. Contact Information The security contact for Revive Adserver can be reached at: . Please review https://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team https://www.revive-adserver.com/ signature.asc Description: OpenPGP digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [REVIVE-SA-2019-001] Revive Adserver - Multiple vulnerabilities
Revive Adserver Security Advisory REVIVE-SA-2019-001 https://www.revive-adserver.com/security/revive-sa-2019-001 CVE-IDs: t.b.a. Date: 2019-04-23 Risk Level:High Applications affected: Revive Adserver Versions affected: < 4.2.0 Versions not affected: >= 4.2.0 Website: https://www.revive-adserver.com/ Vulnerability 1 - Deserialization of Untrusted Data Vulnerability Type:Deserialization of Untrusted Data [CWE-502] CVE-ID:t.b.a. CVSS Base Score: 10 CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Impact Subscore: 6.0 CVSS Exploitability Subscore: 3.9 Description --- A Deserialization of Untrusted Data vulnerability has been discovered in the Revive Adserver’s delivery XML-RPC scripts. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. Details --- An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call using the "what" parameter in the "openads.spc" RPC method of adxmlrpc.php and www/delivery/axmlrpc.php. Likewise the www/delivery/dxmlrpc.php script uses unserialize() on the first parameter of the "pluginExecute" method. References -- https://hackerone.com/reports/512076 https://hackerone.com/reports/542670 https://github.com/revive-adserver/revive-adserver/commit/dffed50 https://github.com/revive-adserver/revive-adserver/commit/a1c3db4 https://cwe.mitre.org/data/definitions/502.html Vulnerability 2 - Open Redirect Vulnerability Type:URL Redirection to Untrusted Site ('Open Redirect') [CWE-601] CVE-ID:t.b.a. CVSS Base Score: 4.2 CVSS v3 Vector:AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Impact Subscore: 2.5 CVSS Exploitability Subscore: 1.6 Description --- An Open Redirect vulnerability was discovered and reported by HackerOne user Sammy (sumni). A remote attacker can trick logged-in user to open a specially crafted link and have them redirected to any destination. Details --- Input passed via the "return_url" GET parameter to "/www/admin/account-switch.php" script is not properly sanitised and used to redirect the user to the target page. References -- https://github.com/revive-adserver/revive-adserver/commit/3db7aa0 https://cwe.mitre.org/data/definitions/601.html Solution We strongly advise people to upgrade to the most recent 4.2.0 version of Revive Adserver. In case that is not immediately feasible, we especially recommend to delete the adxmlrpc.php, www/delivery/axmlrpc.php and www/delivery/dxmlrpc.php files. Contact Information The security contact for Revive Adserver can be reached at: . Please review https://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team https://www.revive-adserver.com/ signature.asc Description: OpenPGP digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/