========================================================================
Revive Adserver Security Advisory REVIVE-SA-2016-001
========================================================================
http://www.revive-adserver.com/security/revive-sa-2016-001
========================================================================
CVE-IDs: TBA
Date: 2016-03-02
Risk Level: Medium
Applications affected: Revive Adserver
Versions affected: <= 3.2.2
Versions not affected: >= 3.2.3
Website: http://www.revive-adserver.com/
========================================================================
========================================================================
Vulnerability 1 - Improper Restriction of Excessive Authentication
Attempts
========================================================================
CVE-ID: TBA
CWE-ID: CWE-307
CVSSv2: 8.5 (AV:N/AC:L/Au:N/C:C/I:P/A:N)
========================================================================
Karan M. Tank and Smit B. Shah have reported via HackerOne that the
login page of Revive Adserver was vulnerable to password-guessing
attacks. An account lockdown feature was considered, but rejected to
avoid introducing service disruptions to regular users during such
attacks. A random delay has instead been introduced as a counter-measure
in case of password failures, along with a system to discourage parallel
brute forcing. These systems will effectively allow the valid users to
log in to the adserver, even while an attack is in progress.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/307.html
https://github.com/revive-adserver/revive-adserver/commit/84794139
========================================================================
Vulnerability 2 - Session Fixation
========================================================================
CVE-ID: TBA
CWE-ID: CWE-384
CVSSv2: 7.8 (AV:N/AC:M/Au:N/C:C/I:P/A:N)
========================================================================
The HackerOne users kaviya and Kamini Singh have independently reported
that Revive Adserver was vulnerable to session fixation, by allowing
arbitrary session identifiers to be forced and, at the same time, by not
invalidating the existing session upon a successful authentication.
Under some circumstances, that could have been an opportunity for an
attacker to steal an authenticated sessions.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/384.html
https://github.com/revive-adserver/revive-adserver/commit/49103656
========================================================================
Vulnerability 3 - Persistent XSS
========================================================================
CVE-ID: TBA
CWE-ID: CWE-79
CVSSv2: 5.6 (AV:N/AC:H/Au:S/C:C/I:P/A:N)
========================================================================
Tengku Zahasman has reported via HackerOne that usernames were not
properly escaped when displayed in the audit trail widget of the
dashboard upon login, allowing persistent XSS attacks. An authenticated
user with enough privileges to create other users could exploit the
vulnerability to access the administrator account.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/8d8c6df3
========================================================================
Vulnerability 4 - Cross-Site Request Forgery (CSRF)
========================================================================
CVE-ID: TBA
CWE-ID: CWE-352
CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
========================================================================
An undisclosed user has reported via HackerOne that the password
recovery form in Revive Adserver was vulnerable to CSRF attacks. This
vulnerability could be exploited to send a large number of password
recovery emails to the registered users, especially in conjunction with
a bug that caused recovery emails to be sent to all the users at once.
Both issues have been fixed.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/352.html
https://github.com/revive-adserver/revive-adserver/commit/3aaebcc7
========================================================================
Vulnerability 5 - Reflected XSS
========================================================================
CVE-ID: TBA
CWE-ID: CWE-79
CVSSv2: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
========================================================================
The HackerOne user @decidedlygray has reported that the
affiliate-preview.php script in www/admin is vulnerable to a reflected
XSS attack. This vulnerability could be used by an attacker to steal the
session ID of an authenticated user, by tricking them into visiting a
specifically crafted URL.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/a323fd62
https://github.com/revive-adserver/revive-adserver/commit/e17a7ec3
========================================================================
Vulnerability 6 - Information Exposure Through Discrepancy
========================================================================
CVE-ID: TBA
CWE-ID: CWE-203
CVSSv2: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
========================================================================
Karan M. Tank and Smit B. Shah have reported via HackerOne that it was
possible to check whether or not an email address was associated to one
or more user accounts on a target Revive Adserver instance by examining
the message printed by the password recovery system. Such information
cannot however be used directly to log in to the system, which requires
a username.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/203.html
https://github.com/revive-adserver/revive-adserver/commit/38223a84
========================================================================
Vulnerability 7 - Persistent XSS
========================================================================
CVE-ID: TBA
CWE-ID: CWE-79
CVSSv2: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
========================================================================
Johan Caluwe has reported via HackerOne two vectors for persistent XSS
attacks via the Revive Adserver user interface, both requiring a trusted
(non-admin) account:
the website name wasn't properly escaped when displayed in the
campaign-zone.php script; and
the banner image URL for external banners wasn't properly escaped when
displayed in most of the banner related pages.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/f6880330
========================================================================
Vulnerability 8 - Cross-Site Request Forgery (CSRF)
========================================================================
CVE-ID: TBA
CWE-ID: CWE-352
CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
========================================================================
The HackerOne user @decidedlygray has reported a number of scripts in
Revive Adserver's user interface that were vulnerable to CSRF attacks:
- www/admin/banner-acl.php
- www/admin/banner-activate.php
- www/admin/banner-advanced.php
- www/admin/banner-modify.php
- www/admin/banner-swf.php
- www/admin/banner-zone.php
- www/admin/tracker-modify.php
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/352.html
https://github.com/revive-adserver/revive-adserver/commit/65a9c811
========================================================================
Vulnerability 9 - Cross-Site Request Forgery (CSRF)
========================================================================
CVE-ID: TBA
CWE-ID: CWE-352
CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
========================================================================
Following a number of CSRF reports, the Revive Adserver team have
conducted a security audit of the admin interface scripts in order to
identify and fix other potential CSRF vulnerabilities.
The effort led to fixing 20+ such issues: please see the commit for the
full list of files affected.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/352.html
https://github.com/revive-adserver/revive-adserver/commit/e563ca61
========================================================================
Vulnerability 10 - Reflected XSS
========================================================================
CVE-ID: TBA
CWE-ID: CWE-79
CVSSv2: 5.6 (AV:N/AC:H/Au:S/C:C/I:P/A:N)
========================================================================
Johan Caluwe has reported via HackerOne that www/admin/stats.php was
vulnerable to reflected XSS attacks via multiple parameters that were
not properly sanitised or escaped when displayed, such as "setPerPage",
"pageId", "bannerid", "pereiod_start", "period_end" and possibly others.
A CVE-ID has been requested, but not assigned yet.
References
==========
https://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/ecbe822b48ef4ff61c2c6357c0c94199a81946f4
========================================================================
Solution
========================================================================
We strongly advise people to upgrade to the most recent 3.2.3 release
of Revive Adserver, including those running OpenX Source or older
versions of the application.
========================================================================
Contact Information
========================================================================
The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.
Please review http://www.revive-adserver.com/security/ before doing so.
--
Matteo Beccati
On behalf of the Revive Adserver Team
http://www.revive-adserver.com/