Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Revive Adserver Deserialization / Open Redirect

🗓️ 29 Apr 2019 00:00:00Reported by Matteo BeccatiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Revive Adserver Deserialization & Open Redirect, High Ris

Code
`========================================================================  
Revive Adserver Security Advisory REVIVE-SA-2019-001  
------------------------------------------------------------------------  
https://www.revive-adserver.com/security/revive-sa-2019-001  
------------------------------------------------------------------------  
CVE-IDs: t.b.a.  
Date: 2019-04-23  
Risk Level: High  
Applications affected: Revive Adserver  
Versions affected: < 4.2.0  
Versions not affected: >= 4.2.0  
Website: https://www.revive-adserver.com/  
========================================================================  
  
  
========================================================================  
Vulnerability 1 - Deserialization of Untrusted Data  
========================================================================  
Vulnerability Type: Deserialization of Untrusted Data [CWE-502]  
CVE-ID: t.b.a.  
CVSS Base Score: 10  
CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H  
CVSS Impact Subscore: 6.0  
CVSS Exploitability Subscore: 3.9  
========================================================================  
  
Description  
-----------  
A Deserialization of Untrusted Data vulnerability has been discovered in  
the Revive Adserver’s delivery XML-RPC scripts. Such vulnerability could  
be used to perform various types of attacks, e.g. exploit  
serialize-related PHP vulnerabilities or PHP object injection.  
  
It is possible, although unconfirmed, that the vulnerability has been  
used by some attackers in order to gain access to some Revive Adserver  
instances and deliver malware through them to third party websites.  
  
Details  
-------  
An attacker could send a specifically crafted payload to the XML-RPC  
invocation script and trigger the unserialize() call using the "what"  
parameter in the "openads.spc" RPC method of adxmlrpc.php and  
www/delivery/axmlrpc.php. Likewise the www/delivery/dxmlrpc.php script  
uses unserialize() on the first parameter of the "pluginExecute" method.  
  
References  
----------  
https://hackerone.com/reports/512076  
https://hackerone.com/reports/542670  
https://github.com/revive-adserver/revive-adserver/commit/dffed50  
https://github.com/revive-adserver/revive-adserver/commit/a1c3db4  
https://cwe.mitre.org/data/definitions/502.html  
  
  
========================================================================  
Vulnerability 2 - Open Redirect  
========================================================================  
Vulnerability Type: URL Redirection to Untrusted Site  
('Open Redirect') [CWE-601]  
CVE-ID: t.b.a.  
CVSS Base Score: 4.2  
CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N  
CVSS Impact Subscore: 2.5  
CVSS Exploitability Subscore: 1.6  
========================================================================  
  
Description  
-----------  
An Open Redirect vulnerability was discovered and reported by HackerOne  
user Sammy (sumni). A remote attacker can trick logged-in user to open a  
specially crafted link and have them redirected to any destination.  
  
  
Details  
-------  
Input passed via the "return_url" GET parameter to  
"/www/admin/account-switch.php" script is not properly sanitised and  
used to redirect the user to the target page.  
  
  
References  
----------  
https://github.com/revive-adserver/revive-adserver/commit/3db7aa0  
https://cwe.mitre.org/data/definitions/601.html  
  
  
  
========================================================================  
Solution  
========================================================================  
  
We strongly advise people to upgrade to the most recent 4.2.0 version of  
Revive Adserver. In case that is not immediately feasible, we especially  
recommend to delete the adxmlrpc.php, www/delivery/axmlrpc.php and  
www/delivery/dxmlrpc.php files.  
  
  
========================================================================  
Contact Information  
========================================================================  
  
The security contact for Revive Adserver can be reached at:  
<security AT revive-adserver DOT com>.  
  
Please review https://www.revive-adserver.com/security/ before doing so.  
  
  
--   
Matteo Beccati  
On behalf of the Revive Adserver Team  
https://www.revive-adserver.com/  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Apr 2019 00:00Current
0.3Low risk
Vulners AI Score0.3
vulnerabilityuntrusted dataphp injectionxml-rpcopen redirectcwe-502cwe-601cvsshackeroneupgrade
23