-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2015-001 ======================================================================== http://www.revive-adserver.com/security/revive-sa-2015-001 ======================================================================== CVE-IDs: CVE-2015-7364, CVE-2015-7365, CVE-2015-7366, CVE-2015-7367, CVE-2015-7368, CVE-2015-7369, CVE-2015-7370, CVE-2015-7371, CVE-2015-7372, CVE-2015-7373 Date: 2015-10-07 Risk Level: Medium Applications affected: Revive Adserver Versions affected: <= 3.2.1 Versions not affected: >= 3.2.2 Website: http://www.revive-adserver.com/ ======================================================================== ======================================================================== Vulnerability 1 - Cross-Site Request Forgery (CSRF) ======================================================================== CVE-ID: CVE-2015-7364 CWE-ID: CWE-352 CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) ======================================================================== Abdullah Hussam Gazi discovered that the CSRF protection mechanism introduced a few years ago to secure the forms generated with the HTML_Quickform library (most of the forms in Revive Adserver's admin UI) could be easily bypassed by sending an empty token along with the POST data. The range of malicious actions includes, but is not limited to, modifying entities like banners and zones and altering preferences and settings. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7364 http://cwe.mitre.org/data/definitions/352.html https://github.com/revive-adserver/revive-adserver/commit/288f81cc ======================================================================== Vulnerability 2 - Reflected XSS ======================================================================== CVE-ID: CVE-2015-7365 CWE-ID: CWE-79 CVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) ======================================================================== Abdullah Hussam Gazi has discovered that the plugin upgrade form was not properly escaping filenames before displaying them when uploading a file containing errors. Exploiting the vulnerability required a specifically crafted multipart POST message. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7365 http://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/b5848808 ======================================================================== Vulnerability 3 - Cross-Site Request Forgery (CSRF) ======================================================================== CVE-ID: CVE-2015-7366 CWE-ID: CWE-532 CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) ======================================================================== N B Sri Harsha has discovered that some plugin actions (e.g. enabling, disabling) could be performed via GET without any CSRF protection mechanism. Successful CSRF attacks could potentially lead to service disruptions in the case of core plugins being disabled. He also discovered that the account-user-*.php scripts were not checking the CSRF token sent via POST, allowing minor attacks, such as changing the victim's contact name and language. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7366 http://cwe.mitre.org/data/definitions/352.html https://github.com/revive-adserver/revive-adserver/commit/13d8181f ======================================================================== Vulnerability 4 - Improper Access Control ======================================================================== CVE-ID: CVE-2015-7367 CWE-ID: CWE-284 CVSSv2: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) ======================================================================== N B Sri Harsha discovered that deleting or unlinking users with an active session didn't have any effect until the session was expired, potentially allowing the users to perform undesired actions while such sessions were still active. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7367 http://cwe.mitre.org/data/definitions/284.html https://github.com/revive-adserver/revive-adserver/commit/ccbd1cc5 ======================================================================== Vulnerability 5 - Information Exposure Through Browser Caching ======================================================================== CVE-ID: CVE-2015-7368 CWE-ID: CWE-525 CVSSv2: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N) ======================================================================== N B Sri Harsha has discovered that the cached copies of pages visited in Revive Adserver's admin UI were still reachable via the browser history after successfully logging out. This potentially allowed exposuse of sensitive information to unauthorised parties. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7368 http://cwe.mitre.org/data/definitions/525.html https://github.com/revive-adserver/revive-adserver/commit/15aac363 https://github.com/revive-adserver/revive-adserver/commit/c76f675d ======================================================================== Vulnerability 6 - Overly Permissive Cross-domain Whitelist ======================================================================== CVE-ID: CVE-2015-7369 CWE-ID: CWE-942 CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) ======================================================================== Sergey Markov has reported that the crossdomain.xml files shipped with Revive Adserver are overly permissive. On a default installation they could in fact be exploited with malicious intents, e.g. to steal session cookies. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7369 http://cwe.mitre.org/data/definitions/942.html https://github.com/revive-adserver/revive-adserver/commit/4be0aa55 ======================================================================== Vulnerability 7 - Reflected XSS ======================================================================== CVE-ID: CVE-2015-7370 CWE-ID: CWE-79 CVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) ======================================================================== Sergey Markov has discovered that the open-flash-chart.swf file, used by the VideoAds plugin in Revive Adserver, was vulnerable to reflected XSS attacks on the id and data-file parameters. This file was included via the third party LGPLv2 graphing library, Open Flash Chart 2, which appears to be currently unmaintained. The Revive Adserver team has therefore decided to fix the vulnerabilities that had been reported and to publish a github repository for the library, containing its history and the vulnerability fixes, for the benefit of everyone else using it: https://github.com/revive-adserver/open-flash-chart References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7370 http://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/202eb15c https://github.com/revive-adserver/revive-adserver/commit/e9cda5a4 https://github.com/revive-adserver/open-flash-chart/commit/0a181c56 ======================================================================== Vulnerability 8 - Improper Access Control ======================================================================== CVE-ID: CVE-2015-7371 CWE-ID: CWE-284 CVSSv2: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) ======================================================================== Krzysztof K. Wasielewski reported that run-mpe.php, a script used by the admin UI to asynchronously trigger a run of the Maintenance Priority Engine when necessary, was lacking proper authentication and access control and could therefore be called by any third party. Running maintenance is a resource intensive task, although a locking mechanism prevents it from being run multiple times concurrently; thus, run-mpe.php cannot be used alone for a resource exhaustion attack. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7371 http://cwe.mitre.org/data/definitions/284.html https://github.com/revive-adserver/revive-adserver/commit/12cefa6f ======================================================================== Vulnerability 9 - Local File Inclusion ======================================================================== CVE-ID: CVE-2015-7372 CWE-ID: CWE-98 CVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) ======================================================================== Krzysztof K. Wasielewski reported that the layerstyle parameter in al.php was not properly sanitized, causing a potential LFI vulnerability. Under normal circumstances, an attacker would need to place a file named layerstyle.inc.php in an arbitrary directory on the server and craft the layerstyle parameter accordingly to load it. If an old version of PHP is being used the server, other attack techniques might be possible, e.g. NULL-byte truncation. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7372 http://cwe.mitre.org/data/definitions/98.html https://github.com/revive-adserver/revive-adserver/commit/86b623f8 https://github.com/revive-adserver/revive-adserver/commit/c76f675d ======================================================================== Vulnerability 10 - Reflected XSS (Cross-site scripting) ======================================================================== CVE-ID: CVE-2015-7373 CWE-ID: CWE-79 CVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) ======================================================================== A feature called "magic-macros" in Revive Adserver allows dynamic data to be displayed in the banner output. There is a predefined set of such macros (e.g. {random}, {clickurl}, etc.), but the feature also allows the display of arbitrary GET parameters. A user reported that the values coming from GET parameters were not properly escaped before being displayed, thus making banners using such magic-macros a potential vector for XSS attacks. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7373 http://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/c40abff6 https://github.com/revive-adserver/revive-adserver/commit/c76f675d ======================================================================== Solution ======================================================================== We strongly advise people to upgrade to the most recent 3.2.2 release of Revive Adserver, including those running OpenX Source or older versions of the application. ======================================================================== Contact Information ======================================================================== The security contact for Revive Adserver can be reached at: . Please review http://www.revive-adserver.com/security/ before doing so. - -- Matteo Beccati On behalf of the Revive Adserver Team http://www.revive-adserver.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWFRLgAAoJEHlDnsQiEkAuOBgP/2IgkP38ImnuYPPI5XvOh9MY cU58ZRg7kNcmhTljuX2k53Pm5hDjaYJyGXHPe2vjscTavWDmBlfugd5l8d0qDrHD VptB+ItlMvynhaBU18P/EeKL/cJ8xZh7k0NpGJbW7An2ZbCp2c238QBcces/BfDH 2monCBCifZkT0lLsEIQMaVU84Cj3WR5jFOR3+aK+JZ4vk7FvZ1Vc1Fl8FvkZMSVy RAGlRsnHTga2Yw4k8Lcg6dYynSZt34x85VUXiUHISN7O8vnJq0LPDfdQy0CYKhzO p/Ffj75KX78qwdEf/kvz57LrkGXnw5fbkrlpysIun5NRhmgaY25t5KS/jovjdKdO wf0eScDTKJG1VJngIWQVJc2din7dYNJkD53Sl28HOm37BeZJ/adAZl68vU0KJFe9 T62YzbHlsQnmScdZELv/CWdbbCxJIy+5XQKYDUuXPPA9sz6HlYmMg2CE4MsD/Ns9 Dzgd1DI2Y1GRN0u4SWG+GSYf63IWPg/taQSkztHdzxTCoRHVWWoCiDRK8lnM7+7M 10U1ZSX8kalQx/eUpsSDsS7W3HZlCuj/F/ZAu5GUqnmfjgxC1Hx0vDsei3zKCfpC xgIOfXbGF1K+DwQAhMpjIq24++m3/HhlEw+JC8KF5nk2AF2cP5V8svq1Lcn6nNas xoKaYisRwrRzEyFVEtt+ =8xHk -----END PGP SIGNATURE-----