0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Revive Adserver 3.2.1 Multiple Vulnerabilities
Author
Risk
![](/img/risk/critlow_4.gif)
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
======================================================================== http://www.revive-adserver.com/security/revive-sa-2015-001 ======================================================================== CVE-IDs: CVE-2015-7364, CVE-2015-7365, CVE-2015-7366, CVE-2015-7367, CVE-2015-7368, CVE-2015-7369, CVE-2015-7370, CVE-2015-7371, CVE-2015-7372, CVE-2015-7373 Date: 2015-10-07 Risk Level: Medium Applications affected: Revive Adserver Versions affected: <= 3.2.1 Versions not affected: >= 3.2.2 Website: http://www.revive-adserver.com/ ======================================================================== ======================================================================== Vulnerability 1 - Cross-Site Request Forgery (CSRF) ======================================================================== CVE-ID: CVE-2015-7364 CWE-ID: CWE-352 CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) ======================================================================== Abdullah Hussam Gazi discovered that the CSRF protection mechanism introduced a few years ago to secure the forms generated with the HTML_Quickform library (most of the forms in Revive Adserver's admin UI) could be easily bypassed by sending an empty token along with the POST data. The range of malicious actions includes, but is not limited to, modifying entities like banners and zones and altering preferences and settings. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7364 http://cwe.mitre.org/data/definitions/352.html https://github.com/revive-adserver/revive-adserver/commit/288f81cc ======================================================================== Vulnerability 2 - Reflected XSS ======================================================================== CVE-ID: CVE-2015-7365 CWE-ID: CWE-79 CVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) ======================================================================== Abdullah Hussam Gazi has discovered that the plugin upgrade form was not properly escaping filenames before displaying them when uploading a file containing errors. Exploiting the vulnerability required a specifically crafted multipart POST message. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7365 http://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/b5848808 ======================================================================== Vulnerability 3 - Cross-Site Request Forgery (CSRF) ======================================================================== CVE-ID: CVE-2015-7366 CWE-ID: CWE-532 CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) ======================================================================== N B Sri Harsha has discovered that some plugin actions (e.g. enabling, disabling) could be performed via GET without any CSRF protection mechanism. Successful CSRF attacks could potentially lead to service disruptions in the case of core plugins being disabled. He also discovered that the account-user-*.php scripts were not checking the CSRF token sent via POST, allowing minor attacks, such as changing the victim's contact name and language. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7366 http://cwe.mitre.org/data/definitions/352.html https://github.com/revive-adserver/revive-adserver/commit/13d8181f ======================================================================== Vulnerability 4 - Improper Access Control ======================================================================== CVE-ID: CVE-2015-7367 CWE-ID: CWE-284 CVSSv2: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) ======================================================================== N B Sri Harsha discovered that deleting or unlinking users with an active session didn't have any effect until the session was expired, potentially allowing the users to perform undesired actions while such sessions were still active. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7367 http://cwe.mitre.org/data/definitions/284.html https://github.com/revive-adserver/revive-adserver/commit/ccbd1cc5 ======================================================================== Vulnerability 5 - Information Exposure Through Browser Caching ======================================================================== CVE-ID: CVE-2015-7368 CWE-ID: CWE-525 CVSSv2: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N) ======================================================================== N B Sri Harsha has discovered that the cached copies of pages visited in Revive Adserver's admin UI were still reachable via the browser history after successfully logging out. This potentially allowed exposuse of sensitive information to unauthorised parties. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7368 http://cwe.mitre.org/data/definitions/525.html https://github.com/revive-adserver/revive-adserver/commit/15aac363 https://github.com/revive-adserver/revive-adserver/commit/c76f675d ======================================================================== Vulnerability 6 - Overly Permissive Cross-domain Whitelist ======================================================================== CVE-ID: CVE-2015-7369 CWE-ID: CWE-942 CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) ======================================================================== Sergey Markov has reported that the crossdomain.xml files shipped with Revive Adserver are overly permissive. On a default installation they could in fact be exploited with malicious intents, e.g. to steal session cookies. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7369 http://cwe.mitre.org/data/definitions/942.html https://github.com/revive-adserver/revive-adserver/commit/4be0aa55 ======================================================================== Vulnerability 7 - Reflected XSS ======================================================================== CVE-ID: CVE-2015-7370 CWE-ID: CWE-79 CVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) ======================================================================== Sergey Markov has discovered that the open-flash-chart.swf file, used by the VideoAds plugin in Revive Adserver, was vulnerable to reflected XSS attacks on the id and data-file parameters. This file was included via the third party LGPLv2 graphing library, Open Flash Chart 2, which appears to be currently unmaintained. The Revive Adserver team has therefore decided to fix the vulnerabilities that had been reported and to publish a github repository for the library, containing its history and the vulnerability fixes, for the benefit of everyone else using it: https://github.com/revive-adserver/open-flash-chart References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7370 http://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/202eb15c https://github.com/revive-adserver/revive-adserver/commit/e9cda5a4 https://github.com/revive-adserver/open-flash-chart/commit/0a181c56 ======================================================================== Vulnerability 8 - Improper Access Control ======================================================================== CVE-ID: CVE-2015-7371 CWE-ID: CWE-284 CVSSv2: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) ======================================================================== Krzysztof K. Wasielewski reported that run-mpe.php, a script used by the admin UI to asynchronously trigger a run of the Maintenance Priority Engine when necessary, was lacking proper authentication and access control and could therefore be called by any third party. Running maintenance is a resource intensive task, although a locking mechanism prevents it from being run multiple times concurrently; thus, run-mpe.php cannot be used alone for a resource exhaustion attack. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7371 http://cwe.mitre.org/data/definitions/284.html https://github.com/revive-adserver/revive-adserver/commit/12cefa6f ======================================================================== Vulnerability 9 - Local File Inclusion ======================================================================== CVE-ID: CVE-2015-7372 CWE-ID: CWE-98 CVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) ======================================================================== Krzysztof K. Wasielewski reported that the layerstyle parameter in al.php was not properly sanitized, causing a potential LFI vulnerability. Under normal circumstances, an attacker would need to place a file named layerstyle.inc.php in an arbitrary directory on the server and craft the layerstyle parameter accordingly to load it. If an old version of PHP is being used the server, other attack techniques might be possible, e.g. NULL-byte truncation. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7372 http://cwe.mitre.org/data/definitions/98.html https://github.com/revive-adserver/revive-adserver/commit/86b623f8 https://github.com/revive-adserver/revive-adserver/commit/c76f675d ======================================================================== Vulnerability 10 - Reflected XSS (Cross-site scripting) ======================================================================== CVE-ID: CVE-2015-7373 CWE-ID: CWE-79 CVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) ======================================================================== A feature called "magic-macros" in Revive Adserver allows dynamic data to be displayed in the banner output. There is a predefined set of such macros (e.g. {random}, {clickurl}, etc.), but the feature also allows the display of arbitrary GET parameters. A user reported that the values coming from GET parameters were not properly escaped before being displayed, thus making banners using such magic-macros a potential vector for XSS attacks. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7373 http://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/c40abff6 https://github.com/revive-adserver/revive-adserver/commit/c76f675d ======================================================================== Solution ======================================================================== We strongly advise people to upgrade to the most recent 3.2.2 release of Revive Adserver, including those running OpenX Source or older versions of the application. # 0day.today [2024-06-24] #