Revive Adserver Security Advisory REVIVE-SA-2021-001

  • Advisory ID: REVIVE-SA-2021-001
  • CVE-IDs: CVE-2021-22871, CVE-2021-22872, CVE-2021-22873
  • Date: 2021-01-19
  • Risk Level: Low
  • Applications affected: Revive Adserver
  • Versions affected: <= 5.0.5
  • Versions not affected: >= 5.1.0
  • Website: https://www.revive-adserver.com/

Vulnerability 1 – Persistent XSS

  • Vulnerability type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)[CWE-79]
  • CVE-ID: CVE-2021-22871
  • CVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
  • CVSS Base Score: 3.5
  • CVSS Impact Subscore: 2.5
  • CVSS Exploitability Subscore: 0.9

Description

A persistent XSS vulnerability has been discovered by security researcher Keyur Vala. An attacker with manager account credential could store HTML code in a website property, which could subsequently been displayed unescaped on a specific page by other users in the system.

Details

Any user with a manager account could store specifically crafted content in the URL website property which was then displayed unsanitised in the affiliate-preview.php tag generation screen, potentially by other users in the system, allowing a persistent XSS attack to take place. The target users would however mostly have access to the same resources as the attacker, so the practical applications are not considered particularly harmful, especially since the session cookie cannot be accessed via JavaScript.

References

Vulnerability 2 – Reflected XSS

  • Vulnerability type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)[CWE-79]
  • CVE-ID: CVE-2021-22872
  • CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
  • CVSS Base Score: 4.3
  • CVSS Impact Subscore: 1.4
  • CVSS Exploitability Subscore: 2.8

Description

Security researcher Axel Flamcourt has discovered that the fix for the reflected XSS vulnerability in REVIVE-SA-2020-001 could be bypassed on older browsers with specifically crafted payloads to the publicly accessible afr.php delivery script of Revive Adserver. The practical applications are not considered particularly harmful, especially since the session cookie cannot be accessed via JavaScript.

Details

The previous fix was working on most modern browsers, but some older browsers are not automatically url-encoding parameters and would leave an opportunity to inject closing and opening script tags and achieve reflected XSS attacks e.g. on IE11.

References

Vulnerability 3 – Open Redirect

  • Vulnerability type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601]
  • CVE-ID: CVE-2021-22873
  • CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVSS Base Score: 5.4
  • CVSS Impact Subscore: 2.5
  • CVSS Exploitability Subscore: 2.8

Description

An opportunity for open redirects has been available by design since the early versions of Revive Adserver’s predecessors in the impression and click tracking scripts to allow third party ad servers to track such metrics when delivering ads. Historically the display advertising industry has considered that to be a feature, not a real vulnerability. Things have evolved since then and third party click tracking via redirects is not a viable option anymore, therefore any functionality using open redirects in delivery scripts have been removed from Revive Adserver.

Details

The lg.php and ck.php delivery scripts were subject to open redirect via either dest, oadest and/or ct0 parameters. All of them are now ignored and redirects only performed (when applicable) to destination URLs stored in the properties of the banner being displayed. A new signed click delivery script has been introduced with an HMAC signed destination parameter, allowing customisable destination URLs while avoiding destinations from being tampered with by attackers.

References

Solution

We strongly advise people to upgrade to the most recent 5.1.0 version of Revive Adserver.

Contact Information

The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>

Please review https://www.revive-adserver.com/security/ before doing so.