Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

open redirect (oadest url) ck.php revive 4.2.1 #1068

Closed
becksgrohl opened this issue Jun 24, 2019 · 4 comments
Closed

open redirect (oadest url) ck.php revive 4.2.1 #1068

becksgrohl opened this issue Jun 24, 2019 · 4 comments
Assignees
Milestone

Comments

@becksgrohl
Copy link

dear all,

we've found bug in our revive about ck.php (oadest)

https://revive.com/www/delivery/ck.php?oadest=https://evil.com -> it will be redirect to url destination

we read this url https://packetstormsecurity.com/files/152671/REVIVE-SA-2019-001.txt
that we should upgrade version, but this bug (as we think is a bug) still can open redirect

this is issue will harm our site and the victims could be redirect to phissing website

could you guide us what we should do again, even after upgrade version 4.2.1 still can open redirect

@erikgeurts
Copy link
Contributor

Thanks for your report. The behavior you noticed is there by design. I'll explain below.

One of the core requirements of an adserver is to not only redirect users to the destination when they click on a banner, but to also track that the click has happened. To do this successfully, click actions on banners need to firstly come to Revive Adserver, to record the click, and then redirect the user.

One solution to ensure that arbitrary URL redirection behavior ("Open Redirects") is prevented would be to record the destination URL for each banner in the database, and to then redirect based on the banner that was clicked.

However, this would require that Revive Adserver knows the destination URL for every banner, which would then mean that external banners from other networks could not be used.

As a result, we typically do not treat Open Redirects as a security vulnerability, as most users of the software actually require the ability to redirect to supplied, non-verified URLs from the software. Changing the software to prevent Open Redirects would effectively prevent users from doing what they actually want the software to do.

@becksgrohl
Copy link
Author

becksgrohl commented Jun 24, 2019

Dear Mr Erik,

thanks for your suggestions, advices, and many comments above

now, we will coordinate with the team about this .. and i'll give your suggest above that open redirect not treat as security vulnerability

@erikgeurts
Copy link
Contributor

For actual vulnerability reports, we strongly recommend you first study https://www.revive-adserver.com/security/ and then use https://hackerone.com/revive_adserver to report them. Posting a vulnerability publicly on Github is never a good idea, for any project.

@mbeccati
Copy link
Contributor

We've revisited our decision and this will be fixed in the next release.

@mbeccati mbeccati reopened this Dec 21, 2020
@mbeccati mbeccati self-assigned this Dec 21, 2020
@mbeccati mbeccati added this to the v5.1.0 milestone Dec 21, 2020
mbeccati added a commit that referenced this issue Dec 23, 2020
Commits:
 * Fix #1068 Open redirects
mbeccati added a commit that referenced this issue Dec 23, 2020
Commits:
 * Fix #1068 Open redirects
mbeccati added a commit that referenced this issue Dec 29, 2020
In order to increase BC with non default plugins
mbeccati added a commit that referenced this issue Dec 29, 2020
Commits:
 * Ref #1068 Reverted some adRender changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants