[REVIVE-SA-2014-002] Revive Adserver 3.0.6 and 3.1.0 fix multiple vulnerabilities

2014-12-22T00:00:00
ID SECURITYVULNS:DOC:31519
Type securityvulns
Reporter Securityvulns
Modified 2014-12-22T00:00:00

Description

======================================================================== Revive Adserver Security Advisory REVIVE-SA-2014-002


http://www.revive-adserver.com/security/revive-sa-2014-002

CVE-IDs: CVE-2014-8793, CVE-2014-8875 Date: 2014-12-17 Risk Level: Medium Applications affected: Revive Adserver Versions affected: <= 3.0.5 Versions not affected: >= 3.0.6, >= 3.1.0 Website: http://www.revive-adserver.com/ ========================================================================

======================================================================== Vulnerability 1 - Denial of Service ======================================================================== Vulnerability Type: XML Entity Expansion [CWE-776] CVE-ID: CVE-2014-8875 CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) ========================================================================

Description

Similar vulnerabilities have been discovered and reported earlier in 2014 for other PHP applications, i.e. Drupal and WordPress. It has been discovered that the Revive Adserver’s XML-RPC implementation might be vulnerable to the same kind of attacks.

A remote attacker can send specifically crafted payloads to the XML-RPC endpoints of a Revive Adserver instance in an attempt to consume the server resources (CPU and memory) and ultimately lead to the application becoming unavailable or unresponsive (denial of service).

Details

Revive Adserver XML-RPC servers, available both in the delivery engine (/www/delivery/[ad]xmlrpc.php, /adxmlrpc.php) and the API endpoints (/www/api/v2/xmlrpc/, /www/api/v1/xmlrpc/*.php) might be vulnerable to certain types of XML entity expansion attacks, also depending on the libxml2 version available on the system.

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8875 http://cwe.mitre.org/data/definitions/776.html https://github.com/revive-adserver/revive-adserver/commit/0559d00 https://wordpress.org/news/2014/08/wordpress-3-9-2/ https://www.drupal.org/SA-CORE-2014-004

======================================================================== Vulnerability 2 - XSS ======================================================================== Vulnerability Type: Cross-Site Scripting [CWE-79] CVE-ID: CVE-2014-8793 CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Also known as: HTB23242 ========================================================================

Description

A Cross-Site Scripting vulnerability was recently discovered and reported by High-Tech Bridge Security Research Lab ( https://www.htbridge.com/ ).

A remote attacker can trick logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Details

Input passed via the "refresh_page" GET parameter to "/www/admin/report-generate.php" script is not properly sanitised before being returned to the user.

Please see High-Tech Bridge's own advisory for more information.

References

https://www.htbridge.com/advisory/HTB23242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8793 http://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/2be73f9

======================================================================== Solution ========================================================================

We strongly advise people to upgrade to the most recent 3.1.0 or 3.0.6 versions of Revive Adserver, including those running OpenX Source or older versions of the application.

======================================================================== Contact Information ========================================================================

The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>.

Please review http://www.revive-adserver.com/security/ before doing so.

-- Matteo Beccati On behalf of the Revive Adserver Team http://www.revive-adserver.com/