Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[REVIVE-SA-2021-001] Revive Adserver Vulnerabilities

Related Vulnerabilities: CVE-2021-22871   CVE-2021-22872   CVE-2021-22873  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="59"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#60">By Date</a>
<a href="61"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="59"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#60">By Thread</a>
<a href="61"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[REVIVE-SA-2021-001] Revive Adserver Vulnerabilities</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Matteo Beccati via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Wed, 20 Jan 2021 12:11:50 +0100


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">========================================================================
Revive Adserver Security Advisory                     REVIVE-SA-2021-001
------------------------------------------------------------------------
<a rel="nofollow" href="https://www.revive-adserver.com/security/revive-sa-2021-001">https://www.revive-adserver.com/security/revive-sa-2021-001</a>
------------------------------------------------------------------------
CVE-IDs:               CVE-2021-22871, CVE-2021-22872, CVE-2021-22873
Date:                  2020-01-19
Risk Level:            Low
Applications affected: Revive Adserver
Versions affected:     &lt;= 5.0.5
Versions not affected: &gt;= 5.1.0
Website:               <a rel="nofollow" href="https://www.revive-adserver.com/">https://www.revive-adserver.com/</a>
========================================================================


========================================================================
Vulnerability 1 - Persistent XSS
========================================================================
Vulnerability Type:    Improper Neutralization of Input During Web Page
                       Generation ('Cross-site Scripting') [CWE-79]
CVE-ID:                CVE-2021-22871
CVSS Base Score:       3.5
CVSSv3.1 Vector:       AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CVSS Impact Subscore:  2.5
CVSS Exploitability Subscore: 0.9
========================================================================

Description
-----------
A persistent XSS vulnerability has been discovered by security
researcher Keyur Vala. An attacker with manager account credential could
store HTML code in a website property, which could subsequently been
displayed unescaped on a specific page by other users in the system.


Details
-------
Any user with a manager account could store specifically crafted content
in the URL website property which was then displayed unsanitised in the
affiliate-preview.php tag generation screen, potentially by other users
in the system, allowing a persistent XSS attack to take place.
The target users would however mostly have access to the same resources
as the attacker, so the practical applications are not considered
particularly harmful, especially since the session cookie cannot be
accessed via JavaScript.


References
----------
<a rel="nofollow" href="https://hackerone.com/reports/819362">https://hackerone.com/reports/819362</a>
<a rel="nofollow" href="https://github.com/revive-adserver/revive-adserver/commit/89b88ce26">https://github.com/revive-adserver/revive-adserver/commit/89b88ce26</a>
<a rel="nofollow" href="https://github.com/revive-adserver/revive-adserver/commit/62a2a0439">https://github.com/revive-adserver/revive-adserver/commit/62a2a0439</a>
<a rel="nofollow" href="https://cwe.mitre.org/data/definitions/79.html">https://cwe.mitre.org/data/definitions/79.html</a>



========================================================================
Vulnerability 2 - Reflected XSS
========================================================================
Vulnerability Type:    Improper Neutralization of Input During Web Page
                       Generation ('Cross-site Scripting') [CWE-79]
CVE-ID:                CVE-2021-22872
CVSS Base Score:       4.3
CVSSv3.1 Vector:       AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore:  1.4
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------

Security researcher Axel Flamcourt has discovered that the fix for the
reflected XSS vulnerability in REVIVE-SA-2020-001 could be bypassed on
older browsers with specifically crafted payloads to the publicly
accessible afr.php delivery script of Revive Adserver. The practical
applications are not considered particularly harmful, especially since
the session cookie cannot be accessed via JavaScript.


Details
-------
The previous fix was working on most modern browsers, but some older
browsers are not automatically url-encoding parameters and would leave
an opportunity to inject closing and opening script tags and achieve
reflected XSS attacks e.g. on IE11.


References
----------
<a rel="nofollow" href="https://hackerone.com/reports/986365">https://hackerone.com/reports/986365</a>
<a rel="nofollow" href="https://www.revive-adserver.com/security/revive-sa-2020-001">https://www.revive-adserver.com/security/revive-sa-2020-001</a>
<a rel="nofollow" href="https://github.com/revive-adserver/revive-adserver/commit/00fdb8d0e">https://github.com/revive-adserver/revive-adserver/commit/00fdb8d0e</a>
<a rel="nofollow" href="https://github.com/revive-adserver/revive-adserver/commit/1dbcf7d50">https://github.com/revive-adserver/revive-adserver/commit/1dbcf7d50</a>
<a rel="nofollow" href="https://cwe.mitre.org/data/definitions/79.html">https://cwe.mitre.org/data/definitions/79.html</a>


========================================================================
Vulnerability 3 - Open Redirect
========================================================================
Vulnerability Type:    URL Redirection to Untrusted Site
                       ('Open Redirect') [CWE-601]
CVE-ID:                CVE-2021-22873
CVSS Base Score:       5.4
CVSSv3.1 Vector:       AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Impact Subscore:  2.5
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------
An opportunity for open redirects has been available by design since the
early versions of Revive Adserver's predecessors in the impression and
click tracking scripts to allow third party ad servers to track such
metrics when delivering ads. Historically the display advertising
industry has considered that to be a feature, not a real vulnerability.
Things have evolved since then and third party click tracking via
redirects is not a viable option anymore, therefore any functionality
using open redirects in delivery scripts have been removed from Revive
Adserver.


Details
-------
The lg.php and ck.php delivery scripts were subject to open redirect via
either dest, oadest and/or ct0 parameters. All of them are now ignored
and redirects only performed (when applicable) to destination URLs
stored in the properties of the banner being displayed. A new signed
click delivery script has been introduced with an HMAC signed
destination parameter, allowing customisable destination URLs while
avoiding destinations from being tampered with by attackers.


References
----------
<a rel="nofollow" href="https://hackerone.com/reports/1081406">https://hackerone.com/reports/1081406</a>
<a rel="nofollow" href="https://github.com/revive-adserver/revive-adserver/issues/1068">https://github.com/revive-adserver/revive-adserver/issues/1068</a>
<a rel="nofollow" href="https://cwe.mitre.org/data/definitions/601.html">https://cwe.mitre.org/data/definitions/601.html</a>



========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 5.1.0 version of
Revive Adserver.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
&lt;security AT revive-adserver DOT com&gt;.

Please review <a rel="nofollow" href="https://www.revive-adserver.com/security/">https://www.revive-adserver.com/security/</a> before doing so.


-- 
Matteo Beccati
On behalf of the Revive Adserver Team
<a rel="nofollow" href="https://www.revive-adserver.com/">https://www.revive-adserver.com/</a>






</pre><p><strong>Attachment:
<a href="att-60/OpenPGP_signature.bin"><tt>OpenPGP_signature</tt></a></strong>

<em>Description:</em> OpenPGP digital signature</p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="59"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#60">By Date</a>
<a href="61"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="59"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#60">By Thread</a>
<a href="61"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[REVIVE-SA-2021-001] Revive Adserver Vulnerabilities</strong> <em>Matteo Beccati via Fulldisclosure (Jan 22)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started