Revive Adserver 3.2.2 Session Fixation / XSS / CSRF

2016.03.03
Risk: Medium
Local: No
Remote: Yes
CVE: N/A

======================================================================== Revive Adserver Security Advisory REVIVE-SA-2016-001 ======================================================================== http://www.revive-adserver.com/security/revive-sa-2016-001 ======================================================================== CVE-IDs: TBA Date: 2016-03-02 Risk Level: Medium Applications affected: Revive Adserver Versions affected: <= 3.2.2 Versions not affected: >= 3.2.3 Website: http://www.revive-adserver.com/ ======================================================================== ======================================================================== Vulnerability 1 - Improper Restriction of Excessive Authentication Attempts ======================================================================== CVE-ID: TBA CWE-ID: CWE-307 CVSSv2: 8.5 (AV:N/AC:L/Au:N/C:C/I:P/A:N) ======================================================================== Karan M. Tank and Smit B. Shah have reported via HackerOne that the login page of Revive Adserver was vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a counter-measure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress. A CVE-ID has been requested, but not assigned yet. References ========== https://cwe.mitre.org/data/definitions/307.html https://github.com/revive-adserver/revive-adserver/commit/84794139 ======================================================================== Vulnerability 2 - Session Fixation ======================================================================== CVE-ID: TBA CWE-ID: CWE-384 CVSSv2: 7.8 (AV:N/AC:M/Au:N/C:C/I:P/A:N) ======================================================================== The HackerOne users kaviya and Kamini Singh have independently reported that Revive Adserver was vulnerable to session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated sessions. A CVE-ID has been requested, but not assigned yet. References ========== https://cwe.mitre.org/data/definitions/384.html https://github.com/revive-adserver/revive-adserver/commit/49103656 ======================================================================== Vulnerability 3 - Persistent XSS ======================================================================== CVE-ID: TBA CWE-ID: CWE-79 CVSSv2: 5.6 (AV:N/AC:H/Au:S/C:C/I:P/A:N) ======================================================================== Tengku Zahasman has reported via HackerOne that usernames were not properly escaped when displayed in the audit trail widget of the dashboard upon login, allowing persistent XSS attacks. An authenticated user with enough privileges to create other users could exploit the vulnerability to access the administrator account. A CVE-ID has been requested, but not assigned yet. References ========== https://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/8d8c6df3 ======================================================================== Vulnerability 4 - Cross-Site Request Forgery (CSRF) ======================================================================== CVE-ID: TBA CWE-ID: CWE-352 CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) ======================================================================== An undisclosed user has reported via HackerOne that the password recovery form in Revive Adserver was vulnerable to CSRF attacks. This vulnerability could be exploited to send a large number of password recovery emails to the registered users, especially in conjunction with a bug that caused recovery emails to be sent to all the users at once. Both issues have been fixed. A CVE-ID has been requested, but not assigned yet. References ========== https://cwe.mitre.org/data/definitions/352.html https://github.com/revive-adserver/revive-adserver/commit/3aaebcc7 ======================================================================== Vulnerability 5 - Reflected XSS ======================================================================== CVE-ID: TBA CWE-ID: CWE-79 CVSSv2: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) ======================================================================== The HackerOne user @decidedlygray has reported that the affiliate-preview.php script in www/admin is vulnerable to a reflected XSS attack. This vulnerability could be used by an attacker to steal the session ID of an authenticated user, by tricking them into visiting a specifically crafted URL. A CVE-ID has been requested, but not assigned yet. References ========== https://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/a323fd62 https://github.com/revive-adserver/revive-adserver/commit/e17a7ec3 ======================================================================== Vulnerability 6 - Information Exposure Through Discrepancy ======================================================================== CVE-ID: TBA CWE-ID: CWE-203 CVSSv2: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N) ======================================================================== Karan M. Tank and Smit B. Shah have reported via HackerOne that it was possible to check whether or not an email address was associated to one or more user accounts on a target Revive Adserver instance by examining the message printed by the password recovery system. Such information cannot however be used directly to log in to the system, which requires a username. A CVE-ID has been requested, but not assigned yet. References ========== https://cwe.mitre.org/data/definitions/203.html https://github.com/revive-adserver/revive-adserver/commit/38223a84 ======================================================================== Vulnerability 7 - Persistent XSS ======================================================================== CVE-ID: TBA CWE-ID: CWE-79 CVSSv2: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) ======================================================================== Johan Caluwe has reported via HackerOne two vectors for persistent XSS attacks via the Revive Adserver user interface, both requiring a trusted (non-admin) account: the website name wasn't properly escaped when displayed in the campaign-zone.php script; and the banner image URL for external banners wasn't properly escaped when displayed in most of the banner related pages. A CVE-ID has been requested, but not assigned yet. References ========== https://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/f6880330 ======================================================================== Vulnerability 8 - Cross-Site Request Forgery (CSRF) ======================================================================== CVE-ID: TBA CWE-ID: CWE-352 CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) ======================================================================== The HackerOne user @decidedlygray has reported a number of scripts in Revive Adserver's user interface that were vulnerable to CSRF attacks: - www/admin/banner-acl.php - www/admin/banner-activate.php - www/admin/banner-advanced.php - www/admin/banner-modify.php - www/admin/banner-swf.php - www/admin/banner-zone.php - www/admin/tracker-modify.php A CVE-ID has been requested, but not assigned yet. References ========== https://cwe.mitre.org/data/definitions/352.html https://github.com/revive-adserver/revive-adserver/commit/65a9c811 ======================================================================== Vulnerability 9 - Cross-Site Request Forgery (CSRF) ======================================================================== CVE-ID: TBA CWE-ID: CWE-352 CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) ======================================================================== Following a number of CSRF reports, the Revive Adserver team have conducted a security audit of the admin interface scripts in order to identify and fix other potential CSRF vulnerabilities. The effort led to fixing 20+ such issues: please see the commit for the full list of files affected. A CVE-ID has been requested, but not assigned yet. References ========== https://cwe.mitre.org/data/definitions/352.html https://github.com/revive-adserver/revive-adserver/commit/e563ca61 ======================================================================== Vulnerability 10 - Reflected XSS ======================================================================== CVE-ID: TBA CWE-ID: CWE-79 CVSSv2: 5.6 (AV:N/AC:H/Au:S/C:C/I:P/A:N) ======================================================================== Johan Caluwe has reported via HackerOne that www/admin/stats.php was vulnerable to reflected XSS attacks via multiple parameters that were not properly sanitised or escaped when displayed, such as "setPerPage", "pageId", "bannerid", "pereiod_start", "period_end" and possibly others. A CVE-ID has been requested, but not assigned yet. References ========== https://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/ecbe822b48ef4ff61c2c6357c0c94199a81946f4 ======================================================================== Solution ======================================================================== We strongly advise people to upgrade to the most recent 3.2.3 release of Revive Adserver, including those running OpenX Source or older versions of the application. ======================================================================== Contact Information ======================================================================== The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>. Please review http://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team http://www.revive-adserver.com/

References:

http://www.revive-adserver.com/security/revive-sa-2016-001


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top