Multiple vulnerabilities in Revive Adserver
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2016-9470 CVE-2016-9471 CVE-2016-9472 |
| CWE-ID | CWE-254 CWE-20 CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Revive Adserver Web applications / Other software |
| Vendor | OpenX Source |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Security Features
EUVDB-ID: #VU39350
Risk: High
CVSSv4.0: 7.4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber]
CVE-ID: CVE-2016-9470
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected File Download. `www/delivery/asyncspc.php` was vulnerable to the fairly new Reflected File Download (RFD) web attack vector that enables attackers to gain complete control over a victim's machine by virtually downloading a file from a trusted domain.
MitigationInstall update from vendor's website.
Vulnerable software versionsRevive Adserver: 4.0.0
CPE2.3 External linkshttps://github.com/revive-adserver/revive-adserver/commit/69aacbd2
https://hackerone.com/reports/148745
https://www.revive-adserver.com/security/revive-sa-2016-002/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU39351
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-9471
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to read and manipulate data.
Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element Injection. Usernames weren't properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver. <a href="http://cwe.mitre.org/data/definitions/75.html">CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)</a>
MitigationInstall update from vendor's website.
Vulnerable software versionsRevive Adserver: 4.0.0
CPE2.3 External linkshttps://github.com/revive-adserver/revive-adserver/commit/05b1eceb
https://hackerone.com/reports/128181
https://www.revive-adserver.com/security/revive-sa-2016-002/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cross-site scripting
EUVDB-ID: #VU39352
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-9472
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The Revive Adserver web installer scripts were vulnerable to a reflected XSS attack via the dbHost, dbUser, and possibly other parameters. It has to be noted that the window for such attack vectors to be possible is extremely narrow and it is very unlikely that such an attack could be actually effective.
MitigationInstall update from vendor's website.
Vulnerable software versionsRevive Adserver: 4.0.0
CPE2.3 External linkshttps://github.com/revive-adserver/revive-adserver/commit/14ff73f0
https://github.com/revive-adserver/revive-adserver/commit/fcf72c8a
https://hackerone.com/reports/170156
https://www.revive-adserver.com/security/revive-sa-2016-002/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
