Revive Adserver 5.0.5 Cross Site Scripting / Open Redirect

2021-01-24T00:00:00

Description

{"id": "PACKETSTORM:161070", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Revive Adserver 5.0.5 Cross Site Scripting / Open Redirect", "description": "", "published": "2021-01-24T00:00:00", "modified": "2021-01-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/161070/Revive-Adserver-5.0.5-Cross-Site-Scripting-Open-Redirect.html", "reporter": "Matteo Beccati", "references": [], "cvelist": ["CVE-2021-22871", "CVE-2021-22872", "CVE-2021-22873"], "lastseen": "2021-01-25T17:29:01", "viewCount": 71, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-22871", "CVE-2021-22872", "CVE-2021-22873"]}, {"type": "hackerone", "idList": ["H1:1081406", "H1:819362", "H1:986365"]}], "rev": 4}, "score": {"value": 4.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-22871", "CVE-2021-22872", "CVE-2021-22873"]}, {"type": "hackerone", "idList": ["H1:1081406", "H1:819362", "H1:986365"]}]}, "exploitation": null, "vulnersScore": 4.6}, "sourceHref": "https://packetstormsecurity.com/files/download/161070/REVIVE-SA-2021-001.txt", "sourceData": "`======================================================================== \nRevive Adserver Security Advisory REVIVE-SA-2021-001 \n------------------------------------------------------------------------ \nhttps://www.revive-adserver.com/security/revive-sa-2021-001 \n------------------------------------------------------------------------ \nCVE-IDs: CVE-2021-22871, CVE-2021-22872, CVE-2021-22873 \nDate: 2020-01-19 \nRisk Level: Low \nApplications affected: Revive Adserver \nVersions affected: <= 5.0.5 \nVersions not affected: >= 5.1.0 \nWebsite: https://www.revive-adserver.com/ \n======================================================================== \n \n \n======================================================================== \nVulnerability 1 - Persistent XSS \n======================================================================== \nVulnerability Type: Improper Neutralization of Input During Web Page \nGeneration ('Cross-site Scripting') [CWE-79] \nCVE-ID: CVE-2021-22871 \nCVSS Base Score: 3.5 \nCVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N \nCVSS Impact Subscore: 2.5 \nCVSS Exploitability Subscore: 0.9 \n======================================================================== \n \nDescription \n----------- \nA persistent XSS vulnerability has been discovered by security \nresearcher Keyur Vala. An attacker with manager account credential could \nstore HTML code in a website property, which could subsequently been \ndisplayed unescaped on a specific page by other users in the system. \n \n \nDetails \n------- \nAny user with a manager account could store specifically crafted content \nin the URL website property which was then displayed unsanitised in the \naffiliate-preview.php tag generation screen, potentially by other users \nin the system, allowing a persistent XSS attack to take place. \nThe target users would however mostly have access to the same resources \nas the attacker, so the practical applications are not considered \nparticularly harmful, especially since the session cookie cannot be \naccessed via JavaScript. \n \n \nReferences \n---------- \nhttps://hackerone.com/reports/819362 \nhttps://github.com/revive-adserver/revive-adserver/commit/89b88ce26 \nhttps://github.com/revive-adserver/revive-adserver/commit/62a2a0439 \nhttps://cwe.mitre.org/data/definitions/79.html \n \n \n \n======================================================================== \nVulnerability 2 - Reflected XSS \n======================================================================== \nVulnerability Type: Improper Neutralization of Input During Web Page \nGeneration ('Cross-site Scripting') [CWE-79] \nCVE-ID: CVE-2021-22872 \nCVSS Base Score: 4.3 \nCVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N \nCVSS Impact Subscore: 1.4 \nCVSS Exploitability Subscore: 2.8 \n======================================================================== \n \nDescription \n----------- \n \nSecurity researcher Axel Flamcourt has discovered that the fix for the \nreflected XSS vulnerability in REVIVE-SA-2020-001 could be bypassed on \nolder browsers with specifically crafted payloads to the publicly \naccessible afr.php delivery script of Revive Adserver. The practical \napplications are not considered particularly harmful, especially since \nthe session cookie cannot be accessed via JavaScript. \n \n \nDetails \n------- \nThe previous fix was working on most modern browsers, but some older \nbrowsers are not automatically url-encoding parameters and would leave \nan opportunity to inject closing and opening script tags and achieve \nreflected XSS attacks e.g. on IE11. \n \n \nReferences \n---------- \nhttps://hackerone.com/reports/986365 \nhttps://www.revive-adserver.com/security/revive-sa-2020-001 \nhttps://github.com/revive-adserver/revive-adserver/commit/00fdb8d0e \nhttps://github.com/revive-adserver/revive-adserver/commit/1dbcf7d50 \nhttps://cwe.mitre.org/data/definitions/79.html \n \n \n======================================================================== \nVulnerability 3 - Open Redirect \n======================================================================== \nVulnerability Type: URL Redirection to Untrusted Site \n('Open Redirect') [CWE-601] \nCVE-ID: CVE-2021-22873 \nCVSS Base Score: 5.4 \nCVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N \nCVSS Impact Subscore: 2.5 \nCVSS Exploitability Subscore: 2.8 \n======================================================================== \n \nDescription \n----------- \nAn opportunity for open redirects has been available by design since the \nearly versions of Revive Adserver's predecessors in the impression and \nclick tracking scripts to allow third party ad servers to track such \nmetrics when delivering ads. Historically the display advertising \nindustry has considered that to be a feature, not a real vulnerability. \nThings have evolved since then and third party click tracking via \nredirects is not a viable option anymore, therefore any functionality \nusing open redirects in delivery scripts have been removed from Revive \nAdserver. \n \n \nDetails \n------- \nThe lg.php and ck.php delivery scripts were subject to open redirect via \neither dest, oadest and/or ct0 parameters. All of them are now ignored \nand redirects only performed (when applicable) to destination URLs \nstored in the properties of the banner being displayed. A new signed \nclick delivery script has been introduced with an HMAC signed \ndestination parameter, allowing customisable destination URLs while \navoiding destinations from being tampered with by attackers. \n \n \nReferences \n---------- \nhttps://hackerone.com/reports/1081406 \nhttps://github.com/revive-adserver/revive-adserver/issues/1068 \nhttps://cwe.mitre.org/data/definitions/601.html \n \n \n \n======================================================================== \nSolution \n======================================================================== \n \nWe strongly advise people to upgrade to the most recent 5.1.0 version of \nRevive Adserver. \n \n \n======================================================================== \nContact Information \n======================================================================== \n \nThe security contact for Revive Adserver can be reached at: \n<security AT revive-adserver DOT com>. \n \nPlease review https://www.revive-adserver.com/security/ before doing so. \n \n \n-- \nMatteo Beccati \nOn behalf of the Revive Adserver Team \nhttps://www.revive-adserver.com/ \n \n \n \n \n \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645870749}}

{"hackerone": [{"lastseen": "2021-02-03T23:02:20", "bounty": 0.0, "description": "It is possible to bypass the first fix of this XSS by closing the script tag, and then opening a new one. cURL PoC is trivial :\n\n`curl \"https://revive-instance/www/delivery/afr.php?refresh=10000&</script><script>alert(1)</script>\"`\n\nThe response will be :\n\n```\n<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>\n<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>\n<head>\n<title>Advertisement</title>\n\n <script type='text/javascript'></script><noscript><meta http-equiv='refresh' content='10000;url=https://revive-instance/www/delivery/afr.php?refresh=10000&</script><script>alert(1)</script>&loc='></noscript>\n <style type='text/css'>\nbody {margin:0; height:100%; background-color:transparent; width:100%; text-align:center;}\n</style>\n</head>\n<body>\n\n</body>\n</html>\n\n## Impact\n\nAn attacker can perform arbitrary actions on behalf of the victim.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-09-19T23:56:40", "type": "hackerone", "title": "Revive Adserver: Reflected XSS on /www/delivery/afr.php (bypass of report #775693)", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22872"], "modified": "2021-01-19T15:30:37", "id": "H1:986365", "href": "https://hackerone.com/reports/986365", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-02-10T20:29:50", "bounty": 0.0, "description": "### Summary:\nStored XSS can be submitted on the Website using Default Manager, and anyone who will check the report the XSS and Open Redirect will trigger.\n\n### Description:\nStored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application.\n\n### Steps To Reproduce:\n1. Login with valid credentials of the user.\n2. Go to inventory > Website > Website Properties\n3. Fill the form and Enter Website URL as \"http://Test\"><img src=x onclick=window.location=\"http://google.com\">\". Click Save Changes.\n4. Login with an administrator account.\n4. Open http://localhost/hackerone/www/admin/affiliate-preview.php?codetype=invocationTags%3AoxInvocationTags%3Aspc&block=0&blockcampaign=0&target=&source=&withtext=0&charset=&noscript=1&ssl=0&comments=0&affiliateid=1&submitbutton=Generate\n5. Click on Header Script Banner there is image click on that it will execute xss or open redirect.\n\n## Impact\n\n###Impact\nUsers can redirect the admin user or any normal user to any other website evil.com.", "edition": 2, "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-03-14T18:49:20", "type": "hackerone", "title": "Revive Adserver: Cross Site Scripting and Open Redirect in affiliate-preview.php file ", "bulletinFamily": "bugbounty", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22871"], "modified": "2021-01-20T11:02:43", "id": "H1:819362", "href": "https://hackerone.com/reports/819362", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-02-03T23:02:19", "bounty": 0.0, "description": "An opportunity for open redirects has been available by design since the\nearly versions of Revive Adserver's predecessors in the impression and\nclick tracking scripts to allow third party ad servers to track such\nmetrics when delivering ads. Historically the display advertising\nindustry has considered that to be a feature, not a real vulnerability.\n\nThe lg.php and ck.php delivery scripts are subject to open redirect via\neither dest, oadest and/or ct0 parameters.\n\n## Impact\n\nUsers seeing a trustworthy domain could be redirected to a malicious URL without realising.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-01-19T12:51:23", "type": "hackerone", "title": "Revive Adserver: Open redirect in ck.php and lg.php", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22873"], "modified": "2021-01-20T11:04:49", "id": "H1:1081406", "href": "https://hackerone.com/reports/1081406", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T14:23:19", "description": "Revive Adserver before 5.1.0 permits any user with a manager account to store possibly malicious content in the URL website property, which is then displayed unsanitized in the affiliate-preview.php tag generation screen, leading to a persistent cross-site scripting (XSS) vulnerability.", "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "baseScore": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-01-26T18:16:00", "type": "cve", "title": "CVE-2021-22871", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22871"], "modified": "2021-02-01T18:23:00", "cpe": [], "id": "CVE-2021-22871", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22871", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2022-03-23T14:23:22", "description": "Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third party click tracking via redirects is not a viable option anymore, leading to such open redirect functionality being removed and reclassified as a vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-01-26T18:16:00", "type": "cve", "title": "CVE-2021-22873", "cwe": ["CWE-601"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22873"], "modified": "2021-02-02T15:09:00", "cpe": [], "id": "CVE-2021-22873", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22873", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": []}, {"lastseen": "2022-03-23T14:23:21", "description": "Revive Adserver before 5.1.0 is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the publicly accessible afr.php delivery script. While this issue was previously addressed in modern browsers as CVE-2020-8115, some older browsers (e.g., IE10) that do not automatically URL encode parameters were still vulnerable.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-01-26T18:16:00", "type": "cve", "title": "CVE-2021-22872", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8115", "CVE-2021-22872"], "modified": "2021-02-02T19:59:00", "cpe": [], "id": "CVE-2021-22872", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22872", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}]}

Revive Adserver 5.0.5 Cross Site Scripting / Open Redirect

Description

Related