Multiple vulnerabilities in Revive Adserver



Published: 2017-03-28 | Updated: 2020-08-08
Risk High
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2016-9470
CVE-2016-9471
CVE-2016-9472
CWE ID CWE-254
CWE-20
CWE-79
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Revive Adserver
Web applications / Other software

Vendor OpenX Source

Security Advisory

1) Security Features

Risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-9470

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected File Download. `www/delivery/asyncspc.php` was vulnerable to the fairly new Reflected File Download (RFD) web attack vector that enables attackers to gain complete control over a victim's machine by virtually downloading a file from a trusted domain.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Revive Adserver: 4.0.0

CPE External links

https://github.com/revive-adserver/revive-adserver/commit/69aacbd2
https://hackerone.com/reports/148745
https://www.revive-adserver.com/security/revive-sa-2016-002/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-9471

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to read and manipulate data.

Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element Injection. Usernames weren't properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver. <a href="http://cwe.mitre.org/data/definitions/75.html">CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)</a>

Mitigation

Install update from vendor's website.

Vulnerable software versions

Revive Adserver: 4.0.0

CPE External links

https://github.com/revive-adserver/revive-adserver/commit/05b1eceb
https://hackerone.com/reports/128181
https://www.revive-adserver.com/security/revive-sa-2016-002/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-9472

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The Revive Adserver web installer scripts were vulnerable to a reflected XSS attack via the dbHost, dbUser, and possibly other parameters. It has to be noted that the window for such attack vectors to be possible is extremely narrow and it is very unlikely that such an attack could be actually effective.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Revive Adserver: 4.0.0

CPE External links

https://github.com/revive-adserver/revive-adserver/commit/14ff73f0
https://github.com/revive-adserver/revive-adserver/commit/fcf72c8a
https://hackerone.com/reports/170156
https://www.revive-adserver.com/security/revive-sa-2016-002/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###