| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Dec 2013 10:02:27 +0100 From: Matteo Beccati <php@...cati.com> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: [REVIVE-SA-2013-001] Revive Adserver 3.0.2 fixes SQL injection vulnerability ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2013-001 ------------------------------------------------------------------------ Advisory ID: REVIVE-SA-2013-001 CVE ID: CVE-2013-7149 Date: 2013-12-20 Security risk: Critical Applications affected: Revive Adserver Versions affected: <= 3.0.1 Versions not affected: >= 3.0.2 Website: http://www.revive-adserver.com/ ======================================================================== ======================================================================== Vulnerability: SQL injection ======================================================================== Description ----------- An SQL-injection vulnerability was recently discovered and reported to the Revive Adserver team by Florian Sander. The vulnerability is known to be already exploited to gain unauthorised access to the application using brute force mechanisms, however other kind of attacks might be possible and/or already in use. The risk is rated to be critical as the most common end goal of the attackers is to spread malware to the visitors of all the websites and ad networks that the ad server is being used on. The vulnerability is also present and exploitable in OpenX Source 2.8.11 and earlier versions, potentially back to phpAdsNew 2.0.x. Details ------- The XML-RPC delivery invocation script was failing to escape its input parameters in the same way the other delivery methods do, allowing attackers to inject arbitrary SQL code via the "what" parameter of the delivery XML-RPC methods. Also, the escaping technique used to handle such parameter in the delivery scripts was based on the addslashes PHP function and has now been upgraded to use the dedicated escaping functions for the database in use. References ---------- http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7149 Permalink --------- http://www.revive-adserver.com/security/REVIVE-SA-2013-001 Solution ======== We strongly advise people to upgrade to the most recent 3.0.2 version of Revive Adserver, including those running OpenX Source or older versions of the application. In case the upgrade cannot be performed in a timely fashion, we suggest to delete the "www/delivery/axmlrpc.php" script (if not in use) as a temporary fix until the application is upgraded. Contact Information =================== The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com> -- Matteo Beccati On behalf of the Revive Adserver Team http://www.revive-adserver.com/
Powered by blists - more mailing lists