[REVIVE-SA-2020-001] Revive Adserver Vulnerability

From: Matteo Beccati <matteo@beccati.com>
To: fulldisclosure@seclists.org,bugtraq@securityfocus.com
Cc:
Subject: [REVIVE-SA-2020-001] Revive Adserver Vulnerability
Date:


========================================================================
Revive Adserver Security Advisory                     REVIVE-SA-2020-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2020-001
------------------------------------------------------------------------
CVE-IDs:               t.b.a.
Date:                  2020-01-21
Risk Level:            Low
Applications affected: Revive Adserver
Versions affected:     <= 5.0.3
Versions not affected: >= 5.0.4
Website:               https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability - Reflected XSS
========================================================================
Vulnerability Type:    Improper Neutralization of Input During Web Page
                       Generation ('Cross-site Scripting') [CWE-79]
CVE-ID:                t.b.a.
CVSS Base Score:       4.3
CVSSv3.1 Vector:       AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore:  1.4
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------
A reflected XSS vulnerability has been discovered in the publicly
accessible afr.php delivery script of Revive Adserver by Jacopo Tediosi.
There are currently no known exploits: the session identifier cannot
be accessed as it is stored in an http-only cookie as of v3.2.2. On
older versions, however, under specific circumstances, it could be
possible to steal the session identifier and gain access to the admin
interface.

Details
-------
The query string sent to the www/delivery/afr.php script was printed
back without proper escaping in a JavaScript context, allowing an
attacker to execute arbitrary JS code on the browser of the victim.


References
----------
https://hackerone.com/reports/775693
https://github.com/revive-adserver/revive-adserver/commit/327aaf10
https://github.com/revive-adserver/revive-adserver/commit/9ec2fa26
https://cwe.mitre.org/data/definitions/79.html



========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 5.0.4 version of
Revive Adserver.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review https://www.revive-adserver.com/security/ before doing so.


-- 
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/






Copyright © 1995-2020 LinuxRocket.net. All rights reserved.