what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Revive Adserver 5.0.5 Cross Site Scripting / Open Redirect

Revive Adserver 5.0.5 Cross Site Scripting / Open Redirect
Posted Jan 24, 2021
Authored by Matteo Beccati

Revive Adserver versions 5.0.5 and below suffer from persistent and reflective cross site scripting and open redirection vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2021-22871, CVE-2021-22872, CVE-2021-22873
SHA-256 | c7f57ec7a0fdc03032ccbfb85e6d682a3160156a7e0330b675338dfa1a77d605

Revive Adserver 5.0.5 Cross Site Scripting / Open Redirect

Change Mirror Download
========================================================================
Revive Adserver Security Advisory REVIVE-SA-2021-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2021-001
------------------------------------------------------------------------
CVE-IDs: CVE-2021-22871, CVE-2021-22872, CVE-2021-22873
Date: 2020-01-19
Risk Level: Low
Applications affected: Revive Adserver
Versions affected: <= 5.0.5
Versions not affected: >= 5.1.0
Website: https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability 1 - Persistent XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79]
CVE-ID: CVE-2021-22871
CVSS Base Score: 3.5
CVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CVSS Impact Subscore: 2.5
CVSS Exploitability Subscore: 0.9
========================================================================

Description
-----------
A persistent XSS vulnerability has been discovered by security
researcher Keyur Vala. An attacker with manager account credential could
store HTML code in a website property, which could subsequently been
displayed unescaped on a specific page by other users in the system.


Details
-------
Any user with a manager account could store specifically crafted content
in the URL website property which was then displayed unsanitised in the
affiliate-preview.php tag generation screen, potentially by other users
in the system, allowing a persistent XSS attack to take place.
The target users would however mostly have access to the same resources
as the attacker, so the practical applications are not considered
particularly harmful, especially since the session cookie cannot be
accessed via JavaScript.


References
----------
https://hackerone.com/reports/819362
https://github.com/revive-adserver/revive-adserver/commit/89b88ce26
https://github.com/revive-adserver/revive-adserver/commit/62a2a0439
https://cwe.mitre.org/data/definitions/79.html



========================================================================
Vulnerability 2 - Reflected XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79]
CVE-ID: CVE-2021-22872
CVSS Base Score: 4.3
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore: 1.4
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------

Security researcher Axel Flamcourt has discovered that the fix for the
reflected XSS vulnerability in REVIVE-SA-2020-001 could be bypassed on
older browsers with specifically crafted payloads to the publicly
accessible afr.php delivery script of Revive Adserver. The practical
applications are not considered particularly harmful, especially since
the session cookie cannot be accessed via JavaScript.


Details
-------
The previous fix was working on most modern browsers, but some older
browsers are not automatically url-encoding parameters and would leave
an opportunity to inject closing and opening script tags and achieve
reflected XSS attacks e.g. on IE11.


References
----------
https://hackerone.com/reports/986365
https://www.revive-adserver.com/security/revive-sa-2020-001
https://github.com/revive-adserver/revive-adserver/commit/00fdb8d0e
https://github.com/revive-adserver/revive-adserver/commit/1dbcf7d50
https://cwe.mitre.org/data/definitions/79.html


========================================================================
Vulnerability 3 - Open Redirect
========================================================================
Vulnerability Type: URL Redirection to Untrusted Site
('Open Redirect') [CWE-601]
CVE-ID: CVE-2021-22873
CVSS Base Score: 5.4
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Impact Subscore: 2.5
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------
An opportunity for open redirects has been available by design since the
early versions of Revive Adserver's predecessors in the impression and
click tracking scripts to allow third party ad servers to track such
metrics when delivering ads. Historically the display advertising
industry has considered that to be a feature, not a real vulnerability.
Things have evolved since then and third party click tracking via
redirects is not a viable option anymore, therefore any functionality
using open redirects in delivery scripts have been removed from Revive
Adserver.


Details
-------
The lg.php and ck.php delivery scripts were subject to open redirect via
either dest, oadest and/or ct0 parameters. All of them are now ignored
and redirects only performed (when applicable) to destination URLs
stored in the properties of the banner being displayed. A new signed
click delivery script has been introduced with an HMAC signed
destination parameter, allowing customisable destination URLs while
avoiding destinations from being tampered with by attackers.


References
----------
https://hackerone.com/reports/1081406
https://github.com/revive-adserver/revive-adserver/issues/1068
https://cwe.mitre.org/data/definitions/601.html



========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 5.1.0 version of
Revive Adserver.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review https://www.revive-adserver.com/security/ before doing so.


--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/






Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close