========================================================================
Revive Adserver Security Advisory                     REVIVE-SA-2021-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2021-001
------------------------------------------------------------------------
CVE-IDs:               CVE-2021-22871, CVE-2021-22872, CVE-2021-22873
Date:                  2020-01-19
Risk Level:            Low
Applications affected: Revive Adserver
Versions affected:     <= 5.0.5
Versions not affected: >= 5.1.0
Website:               https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability 1 - Persistent XSS
========================================================================
Vulnerability Type:    Improper Neutralization of Input During Web Page
                       Generation ('Cross-site Scripting') [CWE-79]
CVE-ID:                CVE-2021-22871
CVSS Base Score:       3.5
CVSSv3.1 Vector:       AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CVSS Impact Subscore:  2.5
CVSS Exploitability Subscore: 0.9
========================================================================

Description
-----------
A persistent XSS vulnerability has been discovered by security
researcher Keyur Vala. An attacker with manager account credential could
store HTML code in a website property, which could subsequently been
displayed unescaped on a specific page by other users in the system.


Details
-------
Any user with a manager account could store specifically crafted content
in the URL website property which was then displayed unsanitised in the
affiliate-preview.php tag generation screen, potentially by other users
in the system, allowing a persistent XSS attack to take place.
The target users would however mostly have access to the same resources
as the attacker, so the practical applications are not considered
particularly harmful, especially since the session cookie cannot be
accessed via JavaScript.


References
----------
https://hackerone.com/reports/819362
https://github.com/revive-adserver/revive-adserver/commit/89b88ce26
https://github.com/revive-adserver/revive-adserver/commit/62a2a0439
https://cwe.mitre.org/data/definitions/79.html



========================================================================
Vulnerability 2 - Reflected XSS
========================================================================
Vulnerability Type:    Improper Neutralization of Input During Web Page
                       Generation ('Cross-site Scripting') [CWE-79]
CVE-ID:                CVE-2021-22872
CVSS Base Score:       4.3
CVSSv3.1 Vector:       AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore:  1.4
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------

Security researcher Axel Flamcourt has discovered that the fix for the
reflected XSS vulnerability in REVIVE-SA-2020-001 could be bypassed on
older browsers with specifically crafted payloads to the publicly
accessible afr.php delivery script of Revive Adserver. The practical
applications are not considered particularly harmful, especially since
the session cookie cannot be accessed via JavaScript.


Details
-------
The previous fix was working on most modern browsers, but some older
browsers are not automatically url-encoding parameters and would leave
an opportunity to inject closing and opening script tags and achieve
reflected XSS attacks e.g. on IE11.


References
----------
https://hackerone.com/reports/986365
https://www.revive-adserver.com/security/revive-sa-2020-001
https://github.com/revive-adserver/revive-adserver/commit/00fdb8d0e
https://github.com/revive-adserver/revive-adserver/commit/1dbcf7d50
https://cwe.mitre.org/data/definitions/79.html


========================================================================
Vulnerability 3 - Open Redirect
========================================================================
Vulnerability Type:    URL Redirection to Untrusted Site
                       ('Open Redirect') [CWE-601]
CVE-ID:                CVE-2021-22873
CVSS Base Score:       5.4
CVSSv3.1 Vector:       AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Impact Subscore:  2.5
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------
An opportunity for open redirects has been available by design since the
early versions of Revive Adserver's predecessors in the impression and
click tracking scripts to allow third party ad servers to track such
metrics when delivering ads. Historically the display advertising
industry has considered that to be a feature, not a real vulnerability.
Things have evolved since then and third party click tracking via
redirects is not a viable option anymore, therefore any functionality
using open redirects in delivery scripts have been removed from Revive
Adserver.


Details
-------
The lg.php and ck.php delivery scripts were subject to open redirect via
either dest, oadest and/or ct0 parameters. All of them are now ignored
and redirects only performed (when applicable) to destination URLs
stored in the properties of the banner being displayed. A new signed
click delivery script has been introduced with an HMAC signed
destination parameter, allowing customisable destination URLs while
avoiding destinations from being tampered with by attackers.


References
----------
https://hackerone.com/reports/1081406
https://github.com/revive-adserver/revive-adserver/issues/1068
https://cwe.mitre.org/data/definitions/601.html



========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 5.1.0 version of
Revive Adserver.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review https://www.revive-adserver.com/security/ before doing so.


-- 
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/