lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [day] [month] [year] [list] 
Message-ID: <5ad6f843-2a3c-4a08-8738-8cd0daa0a54c@beccati.com>
Date: Fri, 24 Oct 2025 14:10:18 +0200
From: Matteo Beccati <php@...cati.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] [REVIVE-SA-2025-002] Revive Adserver Vulnerability

========================================================================
Revive Adserver Security Advisory                     REVIVE-SA-2025-002
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2025-002
------------------------------------------------------------------------
Date:                  2025-10-24
Risk Level:            High
Applications affected: Revive Adserver
Versions affected:     6.0.0
Versions not affected: >= 6.0.1
Website:               https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability: SQL injection
========================================================================
Vulnerability Type:    Improper Neutralization of Special Elements used
                         in an SQL Command ('SQL Injection')
                         [CWE-89]
CVE-ID:                CVE-2025-52664
CVSS Base Score:       8.8
CVSS Vector:           CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
========================================================================

Description
-----------
HackerOne community member Mahmoud Khaled Kanon 
(https://github.com/Kanon4) has reported an SQL injection vulnerability 
in the admin-search.php script. An attacker can craft a specific URL 
that includes an SQL payload in the “keyword” parameter. The script 
requires manager-level authentication for the injection to happen and 
the usage of a MySQL backend. This issue affects Revive Adserver v6.0.0 
only.


Details
-------
The “keyword” GET/POST parameter sent to the admin-search.php script is 
used in the `matchPattern()` method of the underlying PEAR MDB2 library, 
which is now largely unmaintained. The method was applying the necessary 
levels of escaping in the wrong order, resulting in single quotes being 
escaped  twice when using a MySQL backend, effectively inserting a 
backslash character instead of escaping each single quote in the input. 
The result was causing a vulnerability to two types attacks:

   * Error-based injection using MySQL’s EXTRACTVALUE function
   * Time-based blind injection using MySQL’s SLEEP function

An attacker with manager-level permissions can access the page, submit 
malicious queries and gather some results either via the error message 
or using SLEEP and verifying response times.

Alternatively blind attacks could be performed by tricking a logged in 
administrator/manager user into visiting specifically crafted URLs. 
Attack vectors are currently just proof of concept, at it is unknown 
what kind of information could be extracted or disrupted using such methods.


References
----------
https://hackerone.com/reports/3395221
https://github.com/revive-adserver/revive-adserver/commit/ffbc74d
https://cwe.mitre.org/data/definitions/89.html


========================================================================
Solution
========================================================================

We recommend updating to the most recent 6.0.1 version of Revive 
Adserver, or whatever happens to be the current release at the time of 
reading this security advisory.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review https://www.revive-adserver.com/security/ before doing so.


-- 
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/

Download attachment "OpenPGP_0x819BAF32F410D901.asc" of type "application/pgp-keys" (649 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (237 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ