lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <403d9d6e-b68b-1ef7-8a57-b16d14fc3020@beccati.com>
Date: Tue, 21 Jan 2020 14:24:14 +0100
From: Matteo Beccati <matteo@...cati.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [REVIVE-SA-2020-001] Revive Adserver Vulnerability

========================================================================
Revive Adserver Security Advisory                     REVIVE-SA-2020-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2020-001
------------------------------------------------------------------------
CVE-IDs:               t.b.a.
Date:                  2020-01-21
Risk Level:            Low
Applications affected: Revive Adserver
Versions affected:     <= 5.0.3
Versions not affected: >= 5.0.4
Website:               https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability - Reflected XSS
========================================================================
Vulnerability Type:    Improper Neutralization of Input During Web Page
                       Generation ('Cross-site Scripting') [CWE-79]
CVE-ID:                t.b.a.
CVSS Base Score:       4.3
CVSSv3.1 Vector:       AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore:  1.4
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------
A reflected XSS vulnerability has been discovered in the publicly
accessible afr.php delivery script of Revive Adserver by Jacopo Tediosi.
There are currently no known exploits: the session identifier cannot
be accessed as it is stored in an http-only cookie as of v3.2.2. On
older versions, however, under specific circumstances, it could be
possible to steal the session identifier and gain access to the admin
interface.

Details
-------
The query string sent to the www/delivery/afr.php script was printed
back without proper escaping in a JavaScript context, allowing an
attacker to execute arbitrary JS code on the browser of the victim.


References
----------
https://hackerone.com/reports/775693
https://github.com/revive-adserver/revive-adserver/commit/327aaf10
https://github.com/revive-adserver/revive-adserver/commit/9ec2fa26
https://cwe.mitre.org/data/definitions/79.html



========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 5.0.4 version of
Revive Adserver.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review https://www.revive-adserver.com/security/ before doing so.


-- 
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/




Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ