Fixed several SQL injection vulnerabilities. #208

Closed
wants to merge 1 commit into
from

Projects

None yet

5 participants

@florian-sander
Contributor

There are several sql injection vulnerabilities in Revive. This change fixes them.

These vulnerabilites are already being exploited. I discovered them after tracking down an attack on our OpenX installation. I have tested the vulnerability on Revive as well. The attacks on OpenX have been going on since at least September, so I would assume the vulnerability is well known in black hat circles by now.

For everyone who wants to patch their system right away, I have provided patched files for OpenX and Revive on my blog:

http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/

As last time, I do not want to explain publicly in detail how to exploit the vulnerability, but maintainers of the master repository can contact me privately if they need more information.

@erikgeurts
Contributor

Florian, please remove everything that could help a person with bad intentions (including from your blog and your pull request) and contact us by e-mail at security@revive-adserver.com

@florian-sander
Contributor

Neither the pull request nor the blog post contain any instructions as to how exploit the vulnerability. To be sure I removed some additional information from the pull request which explained some changes. An email has been sent.

@hwde
Contributor
hwde commented Dec 19, 2013

Hi Flo, thanks for the patch ... but it is still not enough. Take a look at the "format:" condition.

@mbeccati
Contributor

Thanks guys for the input. We're working on testing / fixing and I'd expect a release very soon.

@florian-sander
Contributor

Hi hwde, thanks for the hint... but I'm afraid I do not see the issue with the patched format condition. It's probably best not to discuss this in public, so can you send me some more detailed information to florian.sander at checkpanel.com? Better include security at revive-adserver.com as well since Matteo is working on the official patch right now.

@luxurytraveldiary

Thanks for the patches for OpenX 2.8.11 Florian.

@mbeccati
Contributor

Fixed in 3.0.2

@mbeccati mbeccati closed this Dec 20, 2013
@mbeccati mbeccati was assigned Dec 23, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment