exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Revive Adserver 5.0.4 Security Bypass / Open Redirect

Revive Adserver 5.0.4 Security Bypass / Open Redirect
Posted Mar 13, 2020
Authored by Matteo Beccati

Revive Adserver versions 5.0.4 and below suffer from bypass and open redirection vulnerabilities.

tags | exploit, vulnerability
SHA-256 | 227caed18cd585592cab071fd8f1e1b5744e03d59567da8593f7ac4670aeab32

Revive Adserver 5.0.4 Security Bypass / Open Redirect

Change Mirror Download
========================================================================
Revive Adserver Security Advisory REVIVE-SA-2020-002
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2020-002
------------------------------------------------------------------------
CVE-IDs: t.b.a.
Date: 2020-03-12
Risk Level: Low
Applications affected: Revive Adserver
Versions affected: <= 5.0.4
Versions not affected: >= 5.0.5
Website: https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability 1 - Security restriction bypass
========================================================================
Vulnerability Type: Incorrect Authorization [CWE-863]
CVE-ID: t.b.a.
CVSS Base Score: 5.6
CVSSv3.1 Vector: AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS Impact Subscore: 5.2
CVSS Exploitability Subscore: 0.4
========================================================================

Description
-----------
A security restriction bypass vulnerability has been discovered by
HackerOne user hoangn144. Revive Adserver, like many other applications,
requires the logged in user to type the current password in order to
change the e-mail address or the password. It was however possible for
anyone with access to a Revive Adserver admin user interface to bypass
such check and change e-email address or password of the currently
logged in user by altering the form payload.


Details
-------
The attack requires physical access to the user interface of a logged in
user. If the POST payload was altered by turning the "pwold" parameter
into an array, Revive Adserver would fetch and authorise the operation
even if no password was provided.


References
----------
https://hackerone.com/reports/792895
https://github.com/revive-adserver/revive-adserver/commit/e2a519c3
https://cwe.mitre.org/data/definitions/863.html



========================================================================
Vulnerability 2 - Open Redirect
========================================================================
Vulnerability Type: URL Redirection to Untrusted Site
('Open Redirect') [CWE-601]
CVE-ID: t.b.a.
CVSS Base Score: 4.2
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS Impact Subscore: 2.5
CVSS Exploitability Subscore: 1.6
========================================================================

Description
-----------
An Open Redirect vulnerability was discovered and reported by HackerOne
user hoangn144. A remote attacker could trick logged-in users to open a
specifically crafted link and have them redirected to any destination.


Details
-------
The CSRF protection of the "/www/admin/*-modify.php" could be skipped if
no meaningful parameter was sent. No action was performed, but the user
was still redirected to the target page, specified via the "returnurl"
GET parameter.


References
----------
https://hackerone.com/reports/794144
https://github.com/revive-adserver/revive-adserver/commit/05fcd364
https://cwe.mitre.org/data/definitions/601.html



========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 5.0.5 version of
Revive Adserver.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review https://www.revive-adserver.com/security/ before doing so.


--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close