Home / vulnerabilities Revive Adserver 3.2.1 CSRF / XSS / Local File Inclusion
Posted on 08 October 2015
Source : packetstormsecurity.org Link
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
========================================================================
Revive Adserver Security Advisory REVIVE-SA-2015-001
========================================================================
http://www.revive-adserver.com/security/revive-sa-2015-001
========================================================================
CVE-IDs: CVE-2015-7364, CVE-2015-7365, CVE-2015-7366,
CVE-2015-7367, CVE-2015-7368, CVE-2015-7369,
CVE-2015-7370, CVE-2015-7371, CVE-2015-7372,
CVE-2015-7373
Date: 2015-10-07
Risk Level: Medium
Applications affected: Revive Adserver
Versions affected: <= 3.2.1
Versions not affected: >= 3.2.2
Website: http://www.revive-adserver.com/
========================================================================
========================================================================
Vulnerability 1 - Cross-Site Request Forgery (CSRF)
========================================================================
CVE-ID: CVE-2015-7364
CWE-ID: CWE-352
CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
========================================================================
Abdullah Hussam Gazi discovered that the CSRF protection mechanism
introduced a few years ago to secure the forms generated with the
HTML_Quickform library (most of the forms in Revive Adserver's admin
UI) could be easily bypassed by sending an empty token along with the
POST data. The range of malicious actions includes, but is not limited
to, modifying entities like banners and zones and altering preferences
and settings.
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7364
http://cwe.mitre.org/data/definitions/352.html
https://github.com/revive-adserver/revive-adserver/commit/288f81cc
========================================================================
Vulnerability 2 - Reflected XSS
========================================================================
CVE-ID: CVE-2015-7365
CWE-ID: CWE-79
CVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
========================================================================
Abdullah Hussam Gazi has discovered that the plugin upgrade form was
not properly escaping filenames before displaying them when uploading
a file containing errors. Exploiting the vulnerability required a
specifically crafted multipart POST message.
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7365
http://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/b5848808
========================================================================
Vulnerability 3 - Cross-Site Request Forgery (CSRF)
========================================================================
CVE-ID: CVE-2015-7366
CWE-ID: CWE-532
CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
========================================================================
N B Sri Harsha has discovered that some plugin actions (e.g. enabling,
disabling) could be performed via GET without any CSRF protection
mechanism. Successful CSRF attacks could potentially lead to service
disruptions in the case of core plugins being disabled. He also
discovered that the account-user-*.php scripts were not checking the
CSRF token sent via POST, allowing minor attacks, such as changing the
victim's contact name and language.
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7366
http://cwe.mitre.org/data/definitions/352.html
https://github.com/revive-adserver/revive-adserver/commit/13d8181f
========================================================================
Vulnerability 4 - Improper Access Control
========================================================================
CVE-ID: CVE-2015-7367
CWE-ID: CWE-284
CVSSv2: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
========================================================================
N B Sri Harsha discovered that deleting or unlinking users with an
active session didn't have any effect until the session was expired,
potentially allowing the users to perform undesired actions while such
sessions were still active.
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7367
http://cwe.mitre.org/data/definitions/284.html
https://github.com/revive-adserver/revive-adserver/commit/ccbd1cc5
========================================================================
Vulnerability 5 - Information Exposure Through Browser Caching
========================================================================
CVE-ID: CVE-2015-7368
CWE-ID: CWE-525
CVSSv2: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
========================================================================
N B Sri Harsha has discovered that the cached copies of pages visited
in Revive Adserver's admin UI were still reachable via the browser
history after successfully logging out. This potentially allowed
exposuse of sensitive information to unauthorised parties.
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7368
http://cwe.mitre.org/data/definitions/525.html
https://github.com/revive-adserver/revive-adserver/commit/15aac363
https://github.com/revive-adserver/revive-adserver/commit/c76f675d
========================================================================
Vulnerability 6 - Overly Permissive Cross-domain Whitelist
========================================================================
CVE-ID: CVE-2015-7369
CWE-ID: CWE-942
CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
========================================================================
Sergey Markov has reported that the crossdomain.xml files shipped with
Revive Adserver are overly permissive. On a default installation they
could in fact be exploited with malicious intents, e.g. to steal
session cookies.
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7369
http://cwe.mitre.org/data/definitions/942.html
https://github.com/revive-adserver/revive-adserver/commit/4be0aa55
========================================================================
Vulnerability 7 - Reflected XSS
========================================================================
CVE-ID: CVE-2015-7370
CWE-ID: CWE-79
CVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
========================================================================
Sergey Markov has discovered that the open-flash-chart.swf file, used
by the VideoAds plugin in Revive Adserver, was vulnerable to reflected
XSS attacks on the id and data-file parameters. This file was included
via the third party LGPLv2 graphing library, Open Flash Chart 2, which
appears to be currently unmaintained. The Revive Adserver team has
therefore decided to fix the vulnerabilities that had been reported
and to publish a github repository for the library, containing its
history and the vulnerability fixes, for the benefit of everyone else
using it:
https://github.com/revive-adserver/open-flash-chart
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7370
http://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/202eb15c
https://github.com/revive-adserver/revive-adserver/commit/e9cda5a4
https://github.com/revive-adserver/open-flash-chart/commit/0a181c56
========================================================================
Vulnerability 8 - Improper Access Control
========================================================================
CVE-ID: CVE-2015-7371
CWE-ID: CWE-284
CVSSv2: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
========================================================================
Krzysztof K. Wasielewski reported that run-mpe.php, a script used by
the admin UI to asynchronously trigger a run of the Maintenance
Priority Engine when necessary, was lacking proper authentication and
access control and could therefore be called by any third party.
Running maintenance is a resource intensive task, although a locking
mechanism prevents it from being run multiple times concurrently;
thus, run-mpe.php cannot be used alone for a resource exhaustion attack.
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7371
http://cwe.mitre.org/data/definitions/284.html
https://github.com/revive-adserver/revive-adserver/commit/12cefa6f
========================================================================
Vulnerability 9 - Local File Inclusion
========================================================================
CVE-ID: CVE-2015-7372
CWE-ID: CWE-98
CVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
========================================================================
Krzysztof K. Wasielewski reported that the layerstyle parameter in
al.php was not properly sanitized, causing a potential LFI
vulnerability. Under normal circumstances, an attacker would need to
place a file named layerstyle.inc.php in an arbitrary directory on the
server and craft the layerstyle parameter accordingly to load it. If
an old version of PHP is being used the server, other attack
techniques might be possible, e.g. NULL-byte truncation.
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7372
http://cwe.mitre.org/data/definitions/98.html
https://github.com/revive-adserver/revive-adserver/commit/86b623f8
https://github.com/revive-adserver/revive-adserver/commit/c76f675d
========================================================================
Vulnerability 10 - Reflected XSS (Cross-site scripting)
========================================================================
CVE-ID: CVE-2015-7373
CWE-ID: CWE-79
CVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
========================================================================
A feature called "magic-macros" in Revive Adserver allows dynamic data
to be displayed in the banner output. There is a predefined set of
such macros (e.g. {random}, {clickurl}, etc.), but the feature also
allows the display of arbitrary GET parameters. A user reported that
the values coming from GET parameters were not properly escaped before
being displayed, thus making banners using such magic-macros a
potential vector for XSS attacks.
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7373
http://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/c40abff6
https://github.com/revive-adserver/revive-adserver/commit/c76f675d
========================================================================
Solution
========================================================================
We strongly advise people to upgrade to the most recent 3.2.2 release
of Revive Adserver, including those running OpenX Source or older
versions of the application.
========================================================================
Contact Information
========================================================================
The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.
Please review http://www.revive-adserver.com/security/ before doing so.
- --
Matteo Beccati
On behalf of the Revive Adserver Team
http://www.revive-adserver.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWFRLgAAoJEHlDnsQiEkAuOBgP/2IgkP38ImnuYPPI5XvOh9MY
cU58ZRg7kNcmhTljuX2k53Pm5hDjaYJyGXHPe2vjscTavWDmBlfugd5l8d0qDrHD
VptB+ItlMvynhaBU18P/EeKL/cJ8xZh7k0NpGJbW7An2ZbCp2c238QBcces/BfDH
2monCBCifZkT0lLsEIQMaVU84Cj3WR5jFOR3+aK+JZ4vk7FvZ1Vc1Fl8FvkZMSVy
RAGlRsnHTga2Yw4k8Lcg6dYynSZt34x85VUXiUHISN7O8vnJq0LPDfdQy0CYKhzO
p/Ffj75KX78qwdEf/kvz57LrkGXnw5fbkrlpysIun5NRhmgaY25t5KS/jovjdKdO
wf0eScDTKJG1VJngIWQVJc2din7dYNJkD53Sl28HOm37BeZJ/adAZl68vU0KJFe9
T62YzbHlsQnmScdZELv/CWdbbCxJIy+5XQKYDUuXPPA9sz6HlYmMg2CE4MsD/Ns9
Dzgd1DI2Y1GRN0u4SWG+GSYf63IWPg/taQSkztHdzxTCoRHVWWoCiDRK8lnM7+7M
10U1ZSX8kalQx/eUpsSDsS7W3HZlCuj/F/ZAu5GUqnmfjgxC1Hx0vDsei3zKCfpC
xgIOfXbGF1K+DwQAhMpjIq24++m3/HhlEw+JC8KF5nk2AF2cP5V8svq1Lcn6nNas
xoKaYisRwrRzEyFVEtt+
=8xHk
-----END PGP SIGNATURE-----