Exploit the possiblities

Revive Adserver 3.0.1 SQL Injection

Revive Adserver 3.0.1 SQL Injection
Posted Dec 20, 2013
Authored by Matteo Beccati

Revive Adserver versions 3.0.1 and below suffer from a remote SQL injection vulnerability. The XML-RPC delivery invocation script was failing to escape its input parameters in the same way the other delivery methods do, allowing attackers to inject arbitrary SQL code via the "what" parameter of the delivery XML-RPC methods. Also, the escaping technique used to handle such parameter in the delivery scripts was based on the addslashes PHP function and has now been upgraded to use the dedicated escaping functions for the database in use.

tags | advisory, remote, arbitrary, php, sql injection
advisories | CVE-2013-7149
MD5 | d48e78efcb0beaabb18b60baa130c7b2

Revive Adserver 3.0.1 SQL Injection

Change Mirror Download
========================================================================
Revive Adserver Security Advisory REVIVE-SA-2013-001
------------------------------------------------------------------------
Advisory ID: REVIVE-SA-2013-001
CVE ID: CVE-2013-7149
Date: 2013-12-20
Security risk: Critical
Applications affected: Revive Adserver
Versions affected: <= 3.0.1
Versions not affected: >= 3.0.2
Website: http://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability: SQL injection
========================================================================

Description
-----------
An SQL-injection vulnerability was recently discovered and reported to
the Revive Adserver team by Florian Sander. The vulnerability is known
to be already exploited to gain unauthorised access to the application
using brute force mechanisms, however other kind of attacks might be
possible and/or already in use. The risk is rated to be critical as the
most common end goal of the attackers is to spread malware to the
visitors of all the websites and ad networks that the ad server is being
used on.

The vulnerability is also present and exploitable in OpenX Source 2.8.11
and earlier versions, potentially back to phpAdsNew 2.0.x.

Details
-------
The XML-RPC delivery invocation script was failing to escape its input
parameters in the same way the other delivery methods do, allowing
attackers to inject arbitrary SQL code via the "what" parameter of the
delivery XML-RPC methods. Also, the escaping technique used to handle
such parameter in the delivery scripts was based on the addslashes PHP
function and has now been upgraded to use the dedicated escaping
functions for the database in use.

References
----------
http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7149

Permalink
---------
http://www.revive-adserver.com/security/REVIVE-SA-2013-001


Solution
========

We strongly advise people to upgrade to the most recent 3.0.2 version of
Revive Adserver, including those running OpenX Source or older versions
of the application.

In case the upgrade cannot be performed in a timely fashion, we suggest
to delete the "www/delivery/axmlrpc.php" script (if not in use) as a
temporary fix until the application is upgraded.


Contact Information
===================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>


--
Matteo Beccati
On behalf of the Revive Adserver Team
http://www.revive-adserver.com/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    8 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close