Karan M. Tank and Smit B. Shah have reported via HackerOne that the
login page of Revive Adserver was vulnerable to password-guessing
attacks. An account lockdown feature was considered, but rejected to
avoid introducing service disruptions to regular users during such
attacks. A random delay has instead been introduced as a counter-measure
in case of password failures, along with a system to discourage parallel
brute forcing. These systems will effectively allow the valid users to
log in to the adserver, even while an attack is in progress.
A CVE-ID has been requested, but not assigned yet.
The HackerOne users kaviya and Kamini Singh have independently reported
that Revive Adserver was vulnerable to session fixation, by allowing
arbitrary session identifiers to be forced and, at the same time, by not
invalidating the existing session upon a successful authentication.
Under some circumstances, that could have been an opportunity for an
attacker to steal an authenticated sessions.
A CVE-ID has been requested, but not assigned yet.
Tengku Zahasman has reported via HackerOne that usernames were not
properly escaped when displayed in the audit trail widget of the
dashboard upon login, allowing persistent XSS attacks. An authenticated
user with enough privileges to create other users could exploit the
vulnerability to access the administrator account.
A CVE-ID has been requested, but not assigned yet.
An undisclosed user has reported via HackerOne that the password
recovery form in Revive Adserver was vulnerable to CSRF attacks. This
vulnerability could be exploited to send a large number of password
recovery emails to the registered users, especially in conjunction with
a bug that caused recovery emails to be sent to all the users at once.
Both issues have been fixed.
A CVE-ID has been requested, but not assigned yet.
The HackerOne user @decidedlygray has reported that the
affiliate-preview.php script in www/admin is vulnerable to a reflected
XSS attack. This vulnerability could be used by an attacker to steal the
session ID of an authenticated user, by tricking them into visiting a
specifically crafted URL.
A CVE-ID has been requested, but not assigned yet.
Karan M. Tank and Smit B. Shah have reported via HackerOne that it was
possible to check whether or not an email address was associated to one
or more user accounts on a target Revive Adserver instance by examining
the message printed by the password recovery system. Such information
cannot however be used directly to log in to the system, which requires
a username.
A CVE-ID has been requested, but not assigned yet.
Johan Caluwe has reported via HackerOne two vectors for persistent XSS
attacks via the Revive Adserver user interface, both requiring a trusted
(non-admin) account:
the website name wasn't properly escaped when displayed in the
campaign-zone.php script; and
the banner image URL for external banners wasn't properly escaped when
displayed in most of the banner related pages.
A CVE-ID has been requested, but not assigned yet.
Following a number of CSRF reports, the Revive Adserver team have
conducted a security audit of the admin interface scripts in order to
identify and fix other potential CSRF vulnerabilities.
The effort led to fixing 20+ such issues: please see the commit for the
full list of files affected.
A CVE-ID has been requested, but not assigned yet.
Johan Caluwe has reported via HackerOne that www/admin/stats.php was
vulnerable to reflected XSS attacks via multiple parameters that were
not properly sanitised or escaped when displayed, such as "setPerPage",
"pageId", "bannerid", "pereiod_start", "period_end" and possibly others.
A CVE-ID has been requested, but not assigned yet.
We strongly advise people to upgrade to the most recent 3.2.3 release
of Revive Adserver, including those running OpenX Source or older
versions of the application.
Revive Adserver Security Advisory REVIVE-SA-2016-001
========================================================================
http://www.revive-adserver.com/security/revive-sa-2016-001
========================================================================
CVE-IDs: TBA
Date: 2016-03-02
Risk Level: Medium
Applications affected: Revive Adserver
Versions affected: <= 3.2.2
Versions not affected: >= 3.2.3
Website: http://www.revive-adserver.com/
========================================================================
========================================================================
Vulnerability 1 - Improper Restriction of Excessive Authentication
Attempts
========================================================================
CVE-ID: TBA
CWE-ID: CWE-307
CVSSv2: 8.5 (AV:N/AC:L/Au:N/C:C/I:P/A:N)
========================================================================
Karan M. Tank and Smit B. Shah have reported via HackerOne that the
login page of Revive Adserver was vulnerable to password-guessing
attacks. An account lockdown feature was considered, but rejected to
avoid introducing service disruptions to regular users during such
attacks. A random delay has instead been introduced as a counter-measure
in case of password failures, along with a system to discourage parallel
brute forcing. These systems will effectively allow the valid users to
log in to the adserver, even while an attack is in progress.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/307.html
https://github.com/revive-adserver/revive-adserver/commit/84794139
========================================================================
Vulnerability 2 - Session Fixation
========================================================================
CVE-ID: TBA
CWE-ID: CWE-384
CVSSv2: 7.8 (AV:N/AC:M/Au:N/C:C/I:P/A:N)
========================================================================
The HackerOne users kaviya and Kamini Singh have independently reported
that Revive Adserver was vulnerable to session fixation, by allowing
arbitrary session identifiers to be forced and, at the same time, by not
invalidating the existing session upon a successful authentication.
Under some circumstances, that could have been an opportunity for an
attacker to steal an authenticated sessions.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/384.html
https://github.com/revive-adserver/revive-adserver/commit/49103656
========================================================================
Vulnerability 3 - Persistent XSS
========================================================================
CVE-ID: TBA
CWE-ID: CWE-79
CVSSv2: 5.6 (AV:N/AC:H/Au:S/C:C/I:P/A:N)
========================================================================
Tengku Zahasman has reported via HackerOne that usernames were not
properly escaped when displayed in the audit trail widget of the
dashboard upon login, allowing persistent XSS attacks. An authenticated
user with enough privileges to create other users could exploit the
vulnerability to access the administrator account.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/8d8c6df3
========================================================================
Vulnerability 4 - Cross-Site Request Forgery (CSRF)
========================================================================
CVE-ID: TBA
CWE-ID: CWE-352
CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
========================================================================
An undisclosed user has reported via HackerOne that the password
recovery form in Revive Adserver was vulnerable to CSRF attacks. This
vulnerability could be exploited to send a large number of password
recovery emails to the registered users, especially in conjunction with
a bug that caused recovery emails to be sent to all the users at once.
Both issues have been fixed.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/352.html
https://github.com/revive-adserver/revive-adserver/commit/3aaebcc7
========================================================================
Vulnerability 5 - Reflected XSS
========================================================================
CVE-ID: TBA
CWE-ID: CWE-79
CVSSv2: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
========================================================================
The HackerOne user @decidedlygray has reported that the
affiliate-preview.php script in www/admin is vulnerable to a reflected
XSS attack. This vulnerability could be used by an attacker to steal the
session ID of an authenticated user, by tricking them into visiting a
specifically crafted URL.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/a323fd62
https://github.com/revive-adserver/revive-adserver/commit/e17a7ec3
========================================================================
Vulnerability 6 - Information Exposure Through Discrepancy
========================================================================
CVE-ID: TBA
CWE-ID: CWE-203
CVSSv2: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
========================================================================
Karan M. Tank and Smit B. Shah have reported via HackerOne that it was
possible to check whether or not an email address was associated to one
or more user accounts on a target Revive Adserver instance by examining
the message printed by the password recovery system. Such information
cannot however be used directly to log in to the system, which requires
a username.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/203.html
https://github.com/revive-adserver/revive-adserver/commit/38223a84
========================================================================
Vulnerability 7 - Persistent XSS
========================================================================
CVE-ID: TBA
CWE-ID: CWE-79
CVSSv2: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
========================================================================
Johan Caluwe has reported via HackerOne two vectors for persistent XSS
attacks via the Revive Adserver user interface, both requiring a trusted
(non-admin) account:
the website name wasn't properly escaped when displayed in the
campaign-zone.php script; and
the banner image URL for external banners wasn't properly escaped when
displayed in most of the banner related pages.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/f6880330
========================================================================
Vulnerability 8 - Cross-Site Request Forgery (CSRF)
========================================================================
CVE-ID: TBA
CWE-ID: CWE-352
CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
========================================================================
The HackerOne user @decidedlygray has reported a number of scripts in
Revive Adserver's user interface that were vulnerable to CSRF attacks:
- www/admin/banner-acl.php
- www/admin/banner-activate.php
- www/admin/banner-advanced.php
- www/admin/banner-modify.php
- www/admin/banner-swf.php
- www/admin/banner-zone.php
- www/admin/tracker-modify.php
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/352.html
https://github.com/revive-adserver/revive-adserver/commit/65a9c811
========================================================================
Vulnerability 9 - Cross-Site Request Forgery (CSRF)
========================================================================
CVE-ID: TBA
CWE-ID: CWE-352
CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
========================================================================
Following a number of CSRF reports, the Revive Adserver team have
conducted a security audit of the admin interface scripts in order to
identify and fix other potential CSRF vulnerabilities.
The effort led to fixing 20+ such issues: please see the commit for the
full list of files affected.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/352.html
https://github.com/revive-adserver/revive-adserver/commit/e563ca61
========================================================================
Vulnerability 10 - Reflected XSS
========================================================================
CVE-ID: TBA
CWE-ID: CWE-79
CVSSv2: 5.6 (AV:N/AC:H/Au:S/C:C/I:P/A:N)
========================================================================
Johan Caluwe has reported via HackerOne that www/admin/stats.php was
vulnerable to reflected XSS attacks via multiple parameters that were
not properly sanitised or escaped when displayed, such as "setPerPage",
"pageId", "bannerid", "pereiod_start", "period_end" and possibly others.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/ecbe822b48ef4f
f61c2c6357c0c94199a81946f4
========================================================================
Solution
========================================================================
We strongly advise people to upgrade to the most recent 3.2.3 release
of Revive Adserver, including those running OpenX Source or older
versions of the application.
========================================================================
Contact Information
========================================================================
The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.
Please review http://www.revive-adserver.com/security/ before doing so.
--
Matteo Beccati
On behalf of the Revive Adserver Team
http://www.revive-adserver.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJW1xN6AAoJEHlDnsQiEkAukDIQAJmvHo4wdooS1E7bELTx+0rh
0HPchK3eRF/YGXzlWJQ+I25iuLVOeg0ptQtWj50KzABjBP6XUc23Pf+MJQMgmKnk
3X1s51DC8jgYaRLku0L2jIXNb+r/Vb/0h3DytJOaIiQhpXAPnRJ1eHTy1tLiMDda
0ebq97uIwv5MiTIH14SBmsTp/4nwfEVeo57weIocO8OnuEX10H+Gud1PCUu8zXQq
GNsahv4A6KPtB+CDffJP5/O8wOPF2u9DeyhFUMQ0Jk/GYLfeyvpM3y3on1VvFJg9
M4JyCo32dzmEbetzycjjtx6nwZXrRx2cUkP31orYhAUu41cQ5/d3H5LAZ12Ez/g0
nkbc4Wvrwe1MndNMtJegozSsrOtf9CvEaz0Vy8rzENGe/ze4rIj5/WaJMq3bjABW
MCSC0bZxuZrA4dWCfk3yA7J2xNneOZwftK09mmIf368rb4eEw6qFTT/CjHNeyeRR
IQw5+OpsP+k/4W9qBTuafHV5jbhGkKgQuqaXHFhVhvw2BAdPpj7/MKChoTSzuPdd
RhM9881W8pIy4JJ5IpwzygZAlxlGnWGy7ltkVZeUQBf6H17OAPzjK7RQg2RiMZZp
MOOp410cVjIA9BMYAG7Bn2MKICuseCV2efk4bH3tfFxExqeDtv4Oqu/L51WILAT/
4kx6RhoXGaIg3XyoeSA6
=DzMT
-----END PGP SIGNATURE-----
[ reply ]