Revive Adserver Security Advisory REVIVE-SA-2021-001
- Advisory ID: REVIVE-SA-2021-001
- CVE-IDs: CVE-2021-22871, CVE-2021-22872, CVE-2021-22873
- Date: 2021-01-19
- Risk Level: Low
- Applications affected: Revive Adserver
- Versions affected: <= 5.0.5
- Versions not affected: >= 5.1.0
- Website: https://www.revive-adserver.com/
Vulnerability 1 – Persistent XSS
- Vulnerability type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)[CWE-79]
- CVE-ID: CVE-2021-22871
- CVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
- CVSS Base Score: 3.5
- CVSS Impact Subscore: 2.5
- CVSS Exploitability Subscore: 0.9
Description
A persistent XSS vulnerability has been discovered by security researcher Keyur Vala. An attacker with manager account credential could store HTML code in a website property, which could subsequently been displayed unescaped on a specific page by other users in the system.
Details
Any user with a manager account could store specifically crafted content in the URL website property which was then displayed unsanitised in the affiliate-preview.php tag generation screen, potentially by other users in the system, allowing a persistent XSS attack to take place. The target users would however mostly have access to the same resources as the attacker, so the practical applications are not considered particularly harmful, especially since the session cookie cannot be accessed via JavaScript.
References
Vulnerability 2 – Reflected XSS
- Vulnerability type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)[CWE-79]
- CVE-ID: CVE-2021-22872
- CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- CVSS Base Score: 4.3
- CVSS Impact Subscore: 1.4
- CVSS Exploitability Subscore: 2.8
Description
Security researcher Axel Flamcourt has discovered that the fix for the reflected XSS vulnerability in REVIVE-SA-2020-001 could be bypassed on older browsers with specifically crafted payloads to the publicly accessible afr.php delivery script of Revive Adserver. The practical applications are not considered particularly harmful, especially since the session cookie cannot be accessed via JavaScript.
Details
The previous fix was working on most modern browsers, but some older browsers are not automatically url-encoding parameters and would leave an opportunity to inject closing and opening script tags and achieve reflected XSS attacks e.g. on IE11.
References
Vulnerability 3 – Open Redirect
- Vulnerability type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601]
- CVE-ID: CVE-2021-22873
- CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CVSS Base Score: 5.4
- CVSS Impact Subscore: 2.5
- CVSS Exploitability Subscore: 2.8
Description
An opportunity for open redirects has been available by design since the early versions of Revive Adserver’s predecessors in the impression and click tracking scripts to allow third party ad servers to track such metrics when delivering ads. Historically the display advertising industry has considered that to be a feature, not a real vulnerability. Things have evolved since then and third party click tracking via redirects is not a viable option anymore, therefore any functionality using open redirects in delivery scripts have been removed from Revive Adserver.
Details
The lg.php and ck.php delivery scripts were subject to open redirect via either dest, oadest and/or ct0 parameters. All of them are now ignored and redirects only performed (when applicable) to destination URLs stored in the properties of the banner being displayed. A new signed click delivery script has been introduced with an HMAC signed destination parameter, allowing customisable destination URLs while avoiding destinations from being tampered with by attackers.
References
Solution
We strongly advise people to upgrade to the most recent 5.1.0 version of Revive Adserver.
Contact Information
The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>
Please review https://www.revive-adserver.com/security/ before doing so.