BugTraq
[REVIVE-SA-2016-002] Revive Adserver - Multiple vulnerabilities Sep 28 2016 02:51PM
Matteo Beccati (matteo beccati com)
========================================================================

Revive Adserver Security Advisory REVIVE-SA-2016-002
========================================================================

http://www.revive-adserver.com/security/revive-sa-2016-002
========================================================================

CVE-IDs: TBA
Date: 2016-09-28
Risk Level: Medium
Applications affected: Revive Adserver
Versions affected: <= 3.2.4
Versions not affected: >= 3.2.5, >= 4.0.0
Website: http://www.revive-adserver.com/
========================================================================

========================================================================

Vulnerability 1 - Reflected file download
========================================================================

CVE-ID: TBA
CWE-ID: CWE-79
CVSSv2: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSSv3 Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
CVSSv3 Base Score: 9.6
CVSSv3 Temporal Score: 8.9
========================================================================

Abdullah Hussam has reported via HackerOne that
www/delivery/asyncspc.php was vulnerable to the fairly new Reflected
File Download (RFD) web attack vector that enables attackers to gain
complete control over a victim's machine by virtually downloading a
file from a trusted domain.

References
==========
https://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/69aacbd2

========================================================================

Vulnerability 2 - Special Element Injection
========================================================================

CVE-ID: TBA
CWE-ID: CWE-75
CVSSv2: 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

CVSSv3 Vector CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
CVSSv3 Base Score: 3.1
CVSSv3 Temporal Score: 2.7
========================================================================

Joel Noguera has reported via HackerOne that usernames weren't properly
sanitised when creating users on a Revive Adserver instance. Especially,
control characters were not filtered, allowing apparently identical
usernames to co-exist in the system, due to the fact that such
characters are normally ignored when an HTML page is displayed in a
browser. The issue could have therefore been exploited for user
spoofing, although elevated privileges are required to create users
within Revive Adserver.

References
==========

https://cwe.mitre.org/data/definitions/75.html
https://github.com/revive-adserver/revive-adserver/commit/05b1eceb

========================================================================

Vulnerability 3 - Reflected XSS
========================================================================

CVE-ID: TBA
CWE-ID: CWE-79
CVSSv2: 4 (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVSSv3 Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
CVSSv3 Base Score: 4.2
CVSSv3 Temporal Score: 3.7
========================================================================

The HackerOne user pavanw3b has reported that the Revive Adserver web
installer scripts were vulnerable to a reflected XSS attack via the
dbHost, dbUser and possibly other parameters. It has to be noted that
the window for such attack vectors to be possible is extremely narrow
and it is very unlikely that such an attack could be actually effective.

References
==========

https://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/14ff73f0
https://github.com/revive-adserver/revive-adserver/commit/fcf72c8a

========================================================================

Solution
========================================================================

We strongly advise people to upgrade to the most recent 4.0.0 or 3.2.5
releases of Revive Adserver, including those running OpenX Source or
older versions of the application.

========================================================================

Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review http://www.revive-adserver.com/security/ before doing so.

--
Matteo Beccati
On behalf of the Revive Adserver Team
http://www.revive-adserver.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX69j2AAoJEHlDnsQiEkAuqUsP/0N1LePS3c3B6ynxxOX2q+kI
zn14G+4NpPUCZMOOuZtET9f4BmcvpmVfFC54pkttMY6vFvhVSs8dBJ+kYHlPmSiO
te/3zdsv1BZcBWs+wlyfBS1vUuj3nkbiUu8JmbYvUZR92u5Be/ZvjdqfJNJleFH+
1NOLkpzEkYYvdnmfLieQPVzbjs2Er2Wxkh2v6aGAd7nIO3RPaYql8ZhJwml+Rzxs
i5eIebJWfePyM5eVncHTu4gDU2FTEJpJP50K4RW/u0HiqPa9D/FZanin98IEQV1k
GxuzJbARLopvbYDw7anub1fqmBty3Hm3NO8NM8RUugJMaXOQJ4LtlVoU6KE+bX2q
6XiERHzDsaoMc0Gft1hBi+Iphn1rV/X/xkDYvWvVkWVDgC/MOG3cNcj/9fEo1VER
9EEbiGgetsj5iN1BkkUyxUDws3fg4NY7+sjEIE7oSERIWfyXUqYqxxmkiLWk8r3N
BZDrKRDNojV0Y3FFxJH0mH+KBd+mcW9ve8vZ5ieefv1jbIOPaJ5AFBgdtHKI9ukK
d6u8q5ke/dO4JfKfd1OrrLKO7swXpgqwiRabb3r1JOlYwzIYir9POwkUOr6V1F/I
TqAD6X4aBuvuxPD2ZtAc4r86nrhAMMcj/JzuX/1EEhY+EttP4ZfIv2WNmHotpwBd
1qB9FT4n7h4p4JRg6uA8
=JHV9
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus