Revive Adserver Security Advisory REVIVE-SA-2016-002

• Advisory ID: REVIVE-SA-2016-002
• CVE-IDs: See below
  
• Date: 2016-09-28
• Risk Level: Medium
• Applications affected: Revive Adserver
• Versions affected: <= 3.2.4
• Versions not affected: >= 3.2.5, >= 4.0.0
• Website: https://www.revive-adserver.com/

Vulnerability 1 – Reflected file download

• CVE-ID: CVE-2016-9470
• CWE-ID: CWE-79
• CVSSv2: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
• CVSSv3 Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
• CVSSv3 Base Score: 9.6
• CVSSv3 Temporal Score: 8.9

Description

Abdullah Hussam has reported via HackerOne that www/delivery/asyncspc.php was vulnerable to the fairly new Reflected File Download (RFD) web attack vector that enables attackers to gain complete control over a victim’s machine by virtually downloading a file from a trusted domain.

References

• https://cwe.mitre.org/data/definitions/79.html
• https://github.com/revive-adserver/revive-adserver/commit/69aacbd2

Vulnerability 2 – Special Element Injection

• CVE-ID: CVE-2016-9471
• CWE-ID: CWE-75
• CVSSv2: 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
• CVSSv3 Vector CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
• CVSSv3 Base Score: 3.1
• CVSSv3 Temporal Score: 2.7

Description

Joel Noguera has reported via HackerOne that usernames weren’t properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver.

References

• https://cwe.mitre.org/data/definitions/75.html
• https://github.com/revive-adserver/revive-adserver/commit/05b1eceb

Vulnerability 3 – Reflected XSS

• CVE-ID: CVE-2016-9472
• CWE-ID: CWE-79
• CVSSv2: 4 (AV:N/AC:H/Au:N/C:P/I:P/A:N)
• CVSSv3 Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
• CVSSv3 Base Score: 4.2
• CVSSv3 Temporal Score: 3.7

Description

The HackerOne user pavanw3b has reported that the Revive Adserver web installer scripts were vulnerable to a reflected XSS attack via the dbHost, dbUser and possibly other parameters. It has to be noted that the window for such attack vectors to be possible is extremely narrow and it is very unlikely that such an attack could be actually effective.

References

• https://cwe.mitre.org/data/definitions/79.html
• https://github.com/revive-adserver/revive-adserver/commit/14ff73f0
• https://github.com/revive-adserver/revive-adserver/commit/fcf72c8a

Solution

We strongly advise people to upgrade to the most recent 4.0.0 or 3.2.5 releases of Revive Adserver, including those running OpenX Source or older versions of the application.

Contact Information

The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>

Please review https://www.revive-adserver.com/security/ before doing so.