Revive Adserver Security Advisory REVIVE-SA-2016-001

Revive Adserver Security Advisory REVIVE-SA-2016-001

Vulnerability 1 – Improper Restriction of Excessive Authentication Attempts

  • CVE-ID: CVE-2016-9124
  • CWE-ID: CWE-307
  • CVSSv2: 8.5 (AV:N/AC:L/Au:N/C:C/I:P/A:N)

Description

Karan M. Tank and Smit B. Shah have reported via HackerOne that the login page of Revive Adserver was vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a counter-measure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress.

References

Vulnerability 2 – Session Fixation

  • CVE-ID: CVE-2016-9125
  • CWE-ID: CWE-384
  • CVSSv2: 7.8 (AV:N/AC:M/Au:N/C:C/I:P/A:N)

Description

The HackerOne users kaviya and Kamini Singh have independently reported that Revive Adserver was vulnerable to session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated sessions.

References

Vulnerability 3 – Persistent XSS

  • CVE-ID: CVE-2016-9126
  • CWE-ID: CWE-79
  • CVSSv2: 5.6 (AV:N/AC:H/Au:S/C:C/I:P/A:N)

Description

Tengku Zahasman has reported via HackerOne that usernames were not properly escaped when displayed in the audit trail widget of the dashboard upon login, allowing persistent XSS attacks. An authenticated user with enough privileges to create other users could exploit the vulnerability to access the administrator account.

References

Vulnerability 4 – Cross-Site Request Forgery (CSRF)

  • CVE-ID: CVE-2016-9127
  • CWE-ID: CWE-352
  • CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Description

An undisclosed user has reported via HackerOne that the password recovery form in Revive Adserver was vulnerable to CSRF attacks. This vulnerability could be exploited to send a large number of password recovery emails to the registered users, especially in conjunction with a bug that caused recovery emails to be sent to all the users at once. Both issues have been fixed.

References

Vulnerability 5 – Reflected XSS

  • CVE-ID: CVE-2016-9128
  • CWE-ID: CWE-79
  • CVSSv2: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Description

The HackerOne user @decidedlygray has reported that the affiliate-preview.php script in www/admin is vulnerable to a reflected XSS attack. This vulnerability could be used by an attacker to steal the session ID of an authenticated user, by tricking them into visiting a specifically crafted URL.

References

Vulnerability 6 – Information Exposure Through Discrepancy

  • CVE-ID: CVE-2016-9129
  • CWE-ID: CWE-203
  • CVSSv2: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description

Karan M. Tank and Smit B. Shah have reported via HackerOne that it was possible to check whether or not an email address was associated to one or more user accounts on a target Revive Adserver instance by examining the message printed by the password recovery system. Such information cannot however be used directly to log in to the system, which requires a username.

References

Vulnerability 7 – Persistent XSS

Description

Johan Caluwe has reported via HackerOne two vectors for persistent XSS attacks via the Revive Adserver user interface, both requiring a trusted (non-admin) account:

  1. the website name wasn’t properly escaped when displayed in the campaign-zone.php script; and
  2. the banner image URL for external banners wasn’t properly escaped when displayed in most of the banner related pages.

References

Vulnerability 8 – Cross-Site Request Forgery (CSRF)

  • CVE-ID: CVE-2016-9455
  • CWE-ID: CWE-352
  • CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Description

The HackerOne user @decidedlygray has reported a number of scripts in Revive Adserver’s user interface that were vulnerable to CSRF attacks:

  • www/admin/banner-acl.php
  • www/admin/banner-activate.php
  • www/admin/banner-advanced.php
  • www/admin/banner-modify.php
  • www/admin/banner-swf.php
  • www/admin/banner-zone.php
  • www/admin/tracker-modify.php

References

Vulnerability 9 – Cross-Site Request Forgery (CSRF)

  • CVE-ID: CVE-2016-9456
  • CWE-ID: CWE-352
  • CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Description

Following a number of CSRF reports, the Revive Adserver team have conducted a security audit of the admin interface scripts in order to identify and fix other potential CSRF vulnerabilities.

The effort led to fixing 20+ such issues: please see the commit for the full list of files affected.

References

Vulnerability 10 – Reflected XSS

  • CVE-ID: CVE-2016-9457
  • CWE-ID: CWE-79
  • CVSSv2: 5.6 (AV:N/AC:H/Au:S/C:C/I:P/A:N)

Description

Johan Caluwe has reported via HackerOne that www/admin/stats.php was vulnerable to reflected XSS attacks via multiple parameters that were not properly sanitised or escaped when displayed, such as “setPerPage”, “pageId”, “bannerid”, “pereiod_start”, “period_end” and possibly others.

References

Solution

We strongly advise people to upgrade to the most recent 3.2.3 release of Revive Adserver, including those running OpenX Source or older versions of the application.

Contact Information

The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>

Please review http://www.revive-adserver.com/security/ before doing so.