Revive Adserver 3.0.5 Cross Site Scripting / Denial Of Service
Posted on 18 December 2014
======================================================================== Revive Adserver Security Advisory REVIVE-SA-2014-002 ------------------------------------------------------------------------ http://www.revive-adserver.com/security/revive-sa-2014-002 ------------------------------------------------------------------------ CVE-IDs: CVE-2014-8793, CVE-2014-8875 Date: 2014-12-17 Risk Level: Medium Applications affected: Revive Adserver Versions affected: <= 3.0.5 Versions not affected: >= 3.0.6, >= 3.1.0 Website: http://www.revive-adserver.com/ ======================================================================== ======================================================================== Vulnerability 1 - Denial of Service ======================================================================== Vulnerability Type: XML Entity Expansion [CWE-776] CVE-ID: CVE-2014-8875 CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) ======================================================================== Description ----------- Similar vulnerabilities have been discovered and reported earlier in 2014 for other PHP applications, i.e. Drupal and WordPress. It has been discovered that the Revive Adserver’s XML-RPC implementation might be vulnerable to the same kind of attacks. A remote attacker can send specifically crafted payloads to the XML-RPC endpoints of a Revive Adserver instance in an attempt to consume the server resources (CPU and memory) and ultimately lead to the application becoming unavailable or unresponsive (denial of service). Details ------- Revive Adserver XML-RPC servers, available both in the delivery engine (/www/delivery/[ad]xmlrpc.php, /adxmlrpc.php) and the API endpoints (/www/api/v2/xmlrpc/, /www/api/v1/xmlrpc/*.php) might be vulnerable to certain types of XML entity expansion attacks, also depending on the libxml2 version available on the system. References ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8875 http://cwe.mitre.org/data/definitions/776.html https://github.com/revive-adserver/revive-adserver/commit/0559d00 https://wordpress.org/news/2014/08/wordpress-3-9-2/ https://www.drupal.org/SA-CORE-2014-004 ======================================================================== Vulnerability 2 - XSS ======================================================================== Vulnerability Type: Cross-Site Scripting [CWE-79] CVE-ID: CVE-2014-8793 CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Also known as: HTB23242 ======================================================================== Description ----------- A Cross-Site Scripting vulnerability was recently discovered and reported by High-Tech Bridge Security Research Lab ( https://www.htbridge.com/ ). A remote attacker can trick logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Details ------- Input passed via the "refresh_page" GET parameter to "/www/admin/report-generate.php" script is not properly sanitised before being returned to the user. Please see High-Tech Bridge's own advisory for more information. References ---------- https://www.htbridge.com/advisory/HTB23242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8793 http://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/2be73f9 ======================================================================== Solution ======================================================================== We strongly advise people to upgrade to the most recent 3.1.0 or 3.0.6 versions of Revive Adserver, including those running OpenX Source or older versions of the application. ======================================================================== Contact Information ======================================================================== The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>. Please review http://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team http://www.revive-adserver.com/
