Revive Adserver: Multiple cross-site scripting (XSS) vulnerabilities in Revive Adserver

From @l4stb1t orginal report:

There are multiple XSS vulnerabilities on the default layerstyles provided by the adserver.

For the “simple” layer style (source code at “plugins_repo/openXInvocationTags/plugins/invocationTags/oxInvocationTags/layerstyles/simple/layerstyle.inc.php”):

• CSS code injection on the “padding” parameter
• CSS code injection on the “bordercolor” parameter
• JavaScript code injection on the “shifth” parameter when the “align” parameter is set to “center”
• JavaScript code injection on the “shiftv” parameter when the “valign” parameter is set to “middle”

For the “geocities” layer style (source code at plugins_repo/openXInvocationTags/plugins/invocationTags/oxInvocationTags/layerstyles/geocities/layerstyle.inc.php"):

• CSS code injection on the “padding” parameter
• HTML code injection on the “closetext” parameter

For the “floater” layer style (source code at plugins_repo/openXInvocationTags/plugins/invocationTags/oxInvocationTags/layerstyles/floater/layerstyle.inc.php"):

• JavaScript code injection on the “rmargin” parameter
• JavaScript code injection on the “lmargin” parameter
• CSS code injection on the “shiftv” parameter
• JavaScript code injection on the “loop” parameter

For the “cursor” layer style (source code at plugins_repo/openXInvocationTags/plugins/invocationTags/oxInvocationTags/layerstyles/cursor/layerstyle.inc.php"):

• JavaScript code injection on the “stickyness” parameter when the “trail” parameter is set to “1”
• JavaScript code injection on the “offsetx” parameter when the “trail” parameter is set to “1”
• JavaScript code injection on the “offsety” parameter when the “trail” parameter is set to “1”
• JavaScript code injection on the “transparancy”
• JavaScript code injection on the “delay” parameter when the “hide” parameter is set to “1”

The vulnerabilities may also affect other layerstyles copied from the ones listed above.
Through the CSS code injection an attacker may create request to external resources by suppling “0;background:url(<link here>);”, while through the HTML and JavaScript code injection the attacker may run JavaScript code on the host website.

Example exploitation:
Assuming that the adserver runs under ads.example.com, and the zoneid 1 is a valid id of an active campaign, an attacker may conduct the following request from the server:
https://ads.example.com/www/delivery/al.php?zoneid=1&layerstyle=geocities&closetext=<script>alert(123);</script>
and the server will return JavaScript code with the attacker’s payload as delivered by the closetext parameter.

Impact

Since the endpoints return JavaScript code, benefit from the exploitation of the vulnerability the attacker has to chain it along with a specific behavior on the host site (the site showing the ads) allowing him to alter the parameters passed to the adserver. For example, if the host site forwards a client identifier from its parameters to the parameters of the adserver (e.g. passing a kid=XYZ), an attacker may use this to smuggle extra parameters to the adserver and eventually run JavaScript code or make external requests.

This method could also be used by an attacker to bypass Cross-Origin Resource Sharing (CORS) rules assuming that the adserver is whitelisted.

Thus, the impact of this vulnerability is relatively small.