exploit the possibilities

Revive Adserver 5.0.5 Cross Site Scripting / Open Redirect

Revive Adserver 5.0.5 Cross Site Scripting / Open Redirect
Posted Jan 24, 2021
Authored by Matteo Beccati

Revive Adserver versions 5.0.5 and below suffer from persistent and reflective cross site scripting and open redirection vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2021-22871, CVE-2021-22872, CVE-2021-22873
SHA-256 | c7f57ec7a0fdc03032ccbfb85e6d682a3160156a7e0330b675338dfa1a77d605

Revive Adserver 5.0.5 Cross Site Scripting / Open Redirect

Change Mirror Download
========================================================================
Revive Adserver Security Advisory REVIVE-SA-2021-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2021-001
------------------------------------------------------------------------
CVE-IDs: CVE-2021-22871, CVE-2021-22872, CVE-2021-22873
Date: 2020-01-19
Risk Level: Low
Applications affected: Revive Adserver
Versions affected: <= 5.0.5
Versions not affected: >= 5.1.0
Website: https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability 1 - Persistent XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79]
CVE-ID: CVE-2021-22871
CVSS Base Score: 3.5
CVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CVSS Impact Subscore: 2.5
CVSS Exploitability Subscore: 0.9
========================================================================

Description
-----------
A persistent XSS vulnerability has been discovered by security
researcher Keyur Vala. An attacker with manager account credential could
store HTML code in a website property, which could subsequently been
displayed unescaped on a specific page by other users in the system.


Details
-------
Any user with a manager account could store specifically crafted content
in the URL website property which was then displayed unsanitised in the
affiliate-preview.php tag generation screen, potentially by other users
in the system, allowing a persistent XSS attack to take place.
The target users would however mostly have access to the same resources
as the attacker, so the practical applications are not considered
particularly harmful, especially since the session cookie cannot be
accessed via JavaScript.


References
----------
https://hackerone.com/reports/819362
https://github.com/revive-adserver/revive-adserver/commit/89b88ce26
https://github.com/revive-adserver/revive-adserver/commit/62a2a0439
https://cwe.mitre.org/data/definitions/79.html



========================================================================
Vulnerability 2 - Reflected XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79]
CVE-ID: CVE-2021-22872
CVSS Base Score: 4.3
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore: 1.4
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------

Security researcher Axel Flamcourt has discovered that the fix for the
reflected XSS vulnerability in REVIVE-SA-2020-001 could be bypassed on
older browsers with specifically crafted payloads to the publicly
accessible afr.php delivery script of Revive Adserver. The practical
applications are not considered particularly harmful, especially since
the session cookie cannot be accessed via JavaScript.


Details
-------
The previous fix was working on most modern browsers, but some older
browsers are not automatically url-encoding parameters and would leave
an opportunity to inject closing and opening script tags and achieve
reflected XSS attacks e.g. on IE11.


References
----------
https://hackerone.com/reports/986365
https://www.revive-adserver.com/security/revive-sa-2020-001
https://github.com/revive-adserver/revive-adserver/commit/00fdb8d0e
https://github.com/revive-adserver/revive-adserver/commit/1dbcf7d50
https://cwe.mitre.org/data/definitions/79.html


========================================================================
Vulnerability 3 - Open Redirect
========================================================================
Vulnerability Type: URL Redirection to Untrusted Site
('Open Redirect') [CWE-601]
CVE-ID: CVE-2021-22873
CVSS Base Score: 5.4
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Impact Subscore: 2.5
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------
An opportunity for open redirects has been available by design since the
early versions of Revive Adserver's predecessors in the impression and
click tracking scripts to allow third party ad servers to track such
metrics when delivering ads. Historically the display advertising
industry has considered that to be a feature, not a real vulnerability.
Things have evolved since then and third party click tracking via
redirects is not a viable option anymore, therefore any functionality
using open redirects in delivery scripts have been removed from Revive
Adserver.


Details
-------
The lg.php and ck.php delivery scripts were subject to open redirect via
either dest, oadest and/or ct0 parameters. All of them are now ignored
and redirects only performed (when applicable) to destination URLs
stored in the properties of the banner being displayed. A new signed
click delivery script has been introduced with an HMAC signed
destination parameter, allowing customisable destination URLs while
avoiding destinations from being tampered with by attackers.


References
----------
https://hackerone.com/reports/1081406
https://github.com/revive-adserver/revive-adserver/issues/1068
https://cwe.mitre.org/data/definitions/601.html



========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 5.1.0 version of
Revive Adserver.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review https://www.revive-adserver.com/security/ before doing so.


--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/






Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close