Download edition

Revive Adserver Security Advisory REVIVE-SA-2015-001

Revive Adserver Security Advisory REVIVE-SA-2015-001

  • Advisory ID: REVIVE-SA-2015-001
  • CVE-IDs: CVE-2015-7364, CVE-2015-7365, CVE-2015-7366, CVE-2015-7367, CVE-2015-7368, CVE-2015-7369, CVE-2015-7370, CVE-2015-7371, CVE-2015-7372, CVE-2015-7373
  • Date: 2015-10-07
  • Risk Level: Medium
  • Applications affected: Revive Adserver
  • Versions affected: <= 3.2.1
  • Versions not affected: >= 3.2.2
  • Website: https://www.revive-adserver.com/

Vulnerability 1 – Cross-Site Request Forgery (CSRF)

  • CVE-ID: CVE-2015-7364
  • CWE-ID: CWE-352
  • CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)

Description

Abdullah Hussam Gazi discovered that the CSRF protection mechanism introduced a few years ago to secure the forms generated with the HTML_Quickform library (most of the forms in Revive Adserver’s admin UI) could be easily bypassed by sending an empty token along with the POST data. The range of malicious actions includes, but is not limited to, modifying entities like banners and zones and altering preferences and settings.

References

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7364
  • http://cwe.mitre.org/data/definitions/352.html
  • https://github.com/revive-adserver/revive-adserver/commit/288f81cc

Vulnerability 2 – Reflected XSS

  • CVE-ID: CVE-2015-7365
  • CWE-ID: CWE-79
  • CVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description

Abdullah Hussam Gazi has discovered that the plugin upgrade form was not properly escaping filenames before displaying them when uploading a file containing errors. Exploiting the vulnerability required a specifically crafted multipart POST message.

References

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7365
  • http://cwe.mitre.org/data/definitions/79.html
  • https://github.com/revive-adserver/revive-adserver/commit/b5848808

Vulnerability 3 – Cross-Site Request Forgery (CSRF)

  • CVE-ID: CVE-2015-7366
  • CWE-ID: CWE-532
  • CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)

Description

N B Sri Harsha has discovered that some plugin actions (e.g. enabling, disabling) could be performed via GET without any CSRF protection mechanism. Successful CSRF attacks could potentially lead to service disruptions in the case of core plugins being disabled. He also discovered that the account-user-*.php scripts were not checking the CSRF token sent via POST, allowing minor attacks, such as changing the victim’s contact name and language.

References

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7366
  • http://cwe.mitre.org/data/definitions/352.html
  • https://github.com/revive-adserver/revive-adserver/commit/13d8181f

Vulnerability 4 – Improper Access Control

  • CVE-ID: CVE-2015-7367
  • CWE-ID: CWE-284
  • CVSSv2: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)

Description

N B Sri Harsha discovered that deleting or unlinking users with an active session didn’t have any effect until the session was expired, potentially allowing the users to perform undesired actions while such sessions were still active.

References

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7367
  • http://cwe.mitre.org/data/definitions/284.html
  • https://github.com/revive-adserver/revive-adserver/commit/ccbd1cc5

Vulnerability 5 – Information Exposure Through Browser Caching

  • CVE-ID: CVE-2015-7368
  • CWE-ID: CWE-525
  • CVSSv2: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Description

N B Sri Harsha has discovered that the cached copies of pages visited in Revive Adserver’s admin UI were still reachable via the browser history after successfully logging out. This potentially allowed expose of sensitive information to unauthorised parties.

References

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7368
  • http://cwe.mitre.org/data/definitions/525.html
  • https://github.com/revive-adserver/revive-adserver/commit/15aac363
  • https://github.com/revive-adserver/revive-adserver/commit/c76f675d

Vulnerability 6 – Overly Permissive Cross-domain Whitelist

  • CVE-ID: CVE-2015-7369
  • CWE-ID: CWE-942
  • CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)

Description

Sergey Markov has reported that the crossdomain.xml files shipped with Revive Adserver are overly permissive. On a default installation they could in fact be exploited with malicious intents, e.g. to steal session cookies.

References

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7369
  • http://cwe.mitre.org/data/definitions/942.html
  • https://github.com/revive-adserver/revive-adserver/commit/4be0aa55

Vulnerability 7 – Reflected XSS

  • CVE-ID: CVE-2015-7370
  • CWE-ID: CWE-79
  • CVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description

Sergey Markov has discovered that the open-flash-chart.swf file, used by the VideoAds plugin in Revive Adserver, was vulnerable to reflected XSS attacks on the id and data-file parameters. This file was included via the third party LGPLv2 graphing library, Open Flash Chart 2, which appears to be currently unmaintained. The Revive Adserver team has therefore decided to fix the vulnerabilities that had been reported and to publish a github repository for the library, containing its history and the vulnerability fixes, for the benefit of everyone else using it: https://github.com/revive-adserver/open-flash-chart

References

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7370
  • http://cwe.mitre.org/data/definitions/79.html
  • https://github.com/revive-adserver/revive-adserver/commit/202eb15c
  • https://github.com/revive-adserver/revive-adserver/commit/e9cda5a4
  • https://github.com/revive-adserver/open-flash-chart/commit/0a181c56

Vulnerability 8 – Improper Access Control

  • CVE-ID: CVE-2015-7371
  • CWE-ID: CWE-284
  • CVSSv2: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Description

Krzysztof K. Wasielewski reported that run-mpe.php, a script used by the admin UI to asynchronously trigger a run of the Maintenance Priority Engine when necessary, was lacking proper authentication and access control and could therefore be called by any third party. Running maintenance is a resource intensive task, although a locking mechanism prevents it from being run multiple times concurrently; thus, run-mpe.php cannot be used alone for a resource exhaustion attack.

References

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7371
  • http://cwe.mitre.org/data/definitions/284.html
  • https://github.com/revive-adserver/revive-adserver/commit/12cefa6f

Vulnerability 9 – Local File Inclusion

  • CVE-ID: CVE-2015-7372
  • CWE-ID: CWE-98
  • CVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Description

Krzysztof K. Wasielewski reported that the layerstyle parameter in al.php was not properly sanitized, causing a potential LFI vulnerability. Under normal circumstances, an attacker would need to place a file named layerstyle.inc.php in an arbitrary directory on the server and craft the layerstyle parameter accordingly to load it. If an old version of PHP is being used the server, other attack techniques might be possible, e.g. NULL-byte truncation.

References

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7372
  • http://cwe.mitre.org/data/definitions/98.html
  • https://github.com/revive-adserver/revive-adserver/commit/86b623f8
  • https://github.com/revive-adserver/revive-adserver/commit/c76f675d

Vulnerability 10 – Reflected XSS (Cross-site scripting)

  • CVE-ID: CVE-2015-7373
  • CWE-ID: CWE-79
  • CVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Description

A feature called “magic-macros” in Revive Adserver allows dynamic data to be displayed in the banner output. There is a predefined set of such macros (e.g. {random}, {clickurl}, etc.), but the feature also allows the display of arbitrary GET parameters. A user reported that the values coming from GET parameters were not properly escaped before being displayed, thus making banners using such magic-macros a potential vector for XSS attacks.

References

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7373
  • http://cwe.mitre.org/data/definitions/79.html
  • https://github.com/revive-adserver/revive-adserver/commit/c40abff6
  • https://github.com/revive-adserver/revive-adserver/commit/c76f675d

Solution

We strongly advise people to upgrade to the most recent 3.2.2 release of Revive Adserver, including those running OpenX Source or older versions of the application.

Contact Information

The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>

Please review https://www.revive-adserver.com/security/ before doing so.