lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <52B407A3.6060800@beccati.com>
Date: Fri, 20 Dec 2013 10:02:27 +0100
From: Matteo Beccati <php@...cati.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [REVIVE-SA-2013-001] Revive Adserver 3.0.2 fixes
	SQL injection vulnerability

========================================================================
Revive Adserver Security Advisory                     REVIVE-SA-2013-001
------------------------------------------------------------------------
Advisory ID:           REVIVE-SA-2013-001
CVE ID:                CVE-2013-7149
Date:                  2013-12-20
Security risk:         Critical
Applications affected: Revive Adserver
Versions affected:     <= 3.0.1
Versions not affected: >= 3.0.2
Website:               http://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability: SQL injection
========================================================================

Description
-----------
An SQL-injection vulnerability was recently discovered and reported to
the Revive Adserver team by Florian Sander. The vulnerability is known
to be already exploited to gain unauthorised access to the application
using brute force mechanisms, however other kind of attacks might be
possible and/or already in use. The risk is rated to be critical as the
most common end goal of the attackers is to spread malware to the
visitors of all the websites and ad networks that the ad server is being
used on.

The vulnerability is also present and exploitable in OpenX Source 2.8.11
and earlier versions, potentially back to phpAdsNew 2.0.x.

Details
-------
The XML-RPC delivery invocation script was failing to escape its input
parameters in the same way the other delivery methods do, allowing
attackers to inject arbitrary SQL code via the "what" parameter of the
delivery XML-RPC methods. Also, the escaping technique used to handle
such parameter in the delivery scripts was based on the addslashes PHP
function and has now been upgraded to use the dedicated escaping
functions for the database in use.

References
----------
http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7149

Permalink
---------
http://www.revive-adserver.com/security/REVIVE-SA-2013-001


Solution
========

We strongly advise people to upgrade to the most recent 3.0.2 version of
Revive Adserver, including those running OpenX Source or older versions
of the application.

In case the upgrade cannot be performed in a timely fashion, we suggest
to delete the "www/delivery/axmlrpc.php" script (if not in use) as a
temporary fix until the application is upgraded.


Contact Information
===================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>


-- 
Matteo Beccati
On behalf of the Revive Adserver Team
http://www.revive-adserver.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ