Revive Adserver Security Advisory REVIVE-SA-2016-001
- Advisory ID: REVIVE-SA-2016-001
- CVE-IDs: See below
- Date: 2016-03-02
- Risk Level: Medium
- Applications affected: Revive Adserver
- Versions affected: <= 3.2.2
- Versions not affected: >= 3.2.3
- Website: https://www.revive-adserver.com/
Vulnerability 1 – Improper Restriction of Excessive Authentication Attempts
- CVE-ID: CVE-2016-9124
- CWE-ID: CWE-307
- CVSSv2: 8.5 (AV:N/AC:L/Au:N/C:C/I:P/A:N)
Description
Karan M. Tank and Smit B. Shah have reported via HackerOne that the login page of Revive Adserver was vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a counter-measure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress.
References
- https://cwe.mitre.org/data/definitions/307.html
- https://github.com/revive-adserver/revive-adserver/commit/847941390f5b3310d51b07c92ec91cc1f4cc82c9
Vulnerability 2 – Session Fixation
- CVE-ID: CVE-2016-9125
- CWE-ID: CWE-384
- CVSSv2: 7.8 (AV:N/AC:M/Au:N/C:C/I:P/A:N)
Description
The HackerOne users kaviya and Kamini Singh have independently reported that Revive Adserver was vulnerable to session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated sessions.
References
- https://cwe.mitre.org/data/definitions/384.html
- https://github.com/revive-adserver/revive-adserver/commit/4910365631eabbb208961c36149f41cc8159fb39
Vulnerability 3 – Persistent XSS
- CVE-ID: CVE-2016-9126
- CWE-ID: CWE-79
- CVSSv2: 5.6 (AV:N/AC:H/Au:S/C:C/I:P/A:N)
Description
Tengku Zahasman has reported via HackerOne that usernames were not properly escaped when displayed in the audit trail widget of the dashboard upon login, allowing persistent XSS attacks. An authenticated user with enough privileges to create other users could exploit the vulnerability to access the administrator account.
References
- https://cwe.mitre.org/data/definitions/79.html
- https://github.com/revive-adserver/revive-adserver/commit/8d8c6df309ff5fde9dd4770abcd4ec5d2449b3ec
Vulnerability 4 – Cross-Site Request Forgery (CSRF)
- CVE-ID: CVE-2016-9127
- CWE-ID: CWE-352
- CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Description
An undisclosed user has reported via HackerOne that the password recovery form in Revive Adserver was vulnerable to CSRF attacks. This vulnerability could be exploited to send a large number of password recovery emails to the registered users, especially in conjunction with a bug that caused recovery emails to be sent to all the users at once. Both issues have been fixed.
References
- https://cwe.mitre.org/data/definitions/352.html
- https://github.com/revive-adserver/revive-adserver/commit/3aaebcc765797d2c684e031f2836e0a69d6b7bc2
Vulnerability 5 – Reflected XSS
- CVE-ID: CVE-2016-9128
- CWE-ID: CWE-79
- CVSSv2: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Description
The HackerOne user @decidedlygray has reported that the affiliate-preview.php script in www/admin is vulnerable to a reflected XSS attack. This vulnerability could be used by an attacker to steal the session ID of an authenticated user, by tricking them into visiting a specifically crafted URL.
References
- https://cwe.mitre.org/data/definitions/79.html
- https://github.com/revive-adserver/revive-adserver/commit/a323fd626627e8d42819fd5b7e2829196b5c54a3
- https://github.com/revive-adserver/revive-adserver/commit/e17a7ec3412ded751cda50b82338de471d656d74
Vulnerability 6 – Information Exposure Through Discrepancy
- CVE-ID: CVE-2016-9129
- CWE-ID: CWE-203
- CVSSv2: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Description
Karan M. Tank and Smit B. Shah have reported via HackerOne that it was possible to check whether or not an email address was associated to one or more user accounts on a target Revive Adserver instance by examining the message printed by the password recovery system. Such information cannot however be used directly to log in to the system, which requires a username.
References
- https://cwe.mitre.org/data/definitions/203.html
- https://github.com/revive-adserver/revive-adserver/commit/38223a841190bebd7a137c7bed84fbbcb2b0c2a5
Vulnerability 7 – Persistent XSS
- CVE-IDs: CVE-2016-9130, CVE-2016-9454
- CWE-ID: CWE-79
- CVSSv2: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Description
Johan Caluwe has reported via HackerOne two vectors for persistent XSS attacks via the Revive Adserver user interface, both requiring a trusted (non-admin) account:
- the website name wasn’t properly escaped when displayed in the campaign-zone.php script; and
- the banner image URL for external banners wasn’t properly escaped when displayed in most of the banner related pages.
References
- https://cwe.mitre.org/data/definitions/79.html
- https://github.com/revive-adserver/revive-adserver/commit/f6880330a8e11e804663f132867e9eb9b1f94e83
Vulnerability 8 – Cross-Site Request Forgery (CSRF)
- CVE-ID: CVE-2016-9455
- CWE-ID: CWE-352
- CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Description
The HackerOne user @decidedlygray has reported a number of scripts in Revive Adserver’s user interface that were vulnerable to CSRF attacks:
- www/admin/banner-acl.php
- www/admin/banner-activate.php
- www/admin/banner-advanced.php
- www/admin/banner-modify.php
- www/admin/banner-swf.php
- www/admin/banner-zone.php
- www/admin/tracker-modify.php
References
- https://cwe.mitre.org/data/definitions/352.html
- https://github.com/revive-adserver/revive-adserver/commit/65a9c8119b4bc7493fd957e1a8d6f6f731298b45
Vulnerability 9 – Cross-Site Request Forgery (CSRF)
- CVE-ID: CVE-2016-9456
- CWE-ID: CWE-352
- CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Description
Following a number of CSRF reports, the Revive Adserver team have conducted a security audit of the admin interface scripts in order to identify and fix other potential CSRF vulnerabilities.
The effort led to fixing 20+ such issues: please see the commit for the full list of files affected.
References
- https://cwe.mitre.org/data/definitions/352.html
- https://github.com/revive-adserver/revive-adserver/commit/e563ca61e4f3b7210cb61f53284adaa8aef4a49a
Vulnerability 10 – Reflected XSS
- CVE-ID: CVE-2016-9457
- CWE-ID: CWE-79
- CVSSv2: 5.6 (AV:N/AC:H/Au:S/C:C/I:P/A:N)
Description
Johan Caluwe has reported via HackerOne that www/admin/stats.php was vulnerable to reflected XSS attacks via multiple parameters that were not properly sanitised or escaped when displayed, such as “setPerPage”, “pageId”, “bannerid”, “pereiod_start”, “period_end” and possibly others.
References
- https://cwe.mitre.org/data/definitions/79.html
- https://github.com/revive-adserver/revive-adserver/commit/ecbe822b48ef4ff61c2c6357c0c94199a81946f4
Solution
We strongly advise people to upgrade to the most recent 3.2.3 release of Revive Adserver, including those running OpenX Source or older versions of the application.
Contact Information
The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>
Please review https://www.revive-adserver.com/security/ before doing so.