Cross-Site Scripting (XSS) in Revive Adserver

High-Tech Bridge Security Research Lab discovered an XSS vulnerability in Revive Adserver (formerly known as OpenX Source), which can be exploited to perform Cross-Site Scripting attacks against authenticated users and administrators of the vulnerable application leading to total compromise of the Ads platform.

The vulnerability allows to steal cookies, sessions and credentials stored in the browser, as well as to perform more complicated attacks such as phishing and drive-by attacks.

1. Cross-Site Scripting (XSS) in Revive Adserver: CVE-2014-8793

1.1 Input passed via the “refresh_page” HTTP GET parameter to “/www/admin/report-generate.php” script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in user or administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below will show a pop-up window with “ImmuniWeb” word inside after user clicks on the following link:

http://[host]/www/admin/report-generate.php?submit_type=change&refresh_page= %3C/script%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E

The registration is not available, only website administrator can add new users.