There are several sql injection vulnerabilities in Revive. This change fixes them.
These vulnerabilites are already being exploited. I discovered them after tracking down an attack on our OpenX installation. I have tested the vulnerability on Revive as well. The attacks on OpenX have been going on since at least September, so I would assume the vulnerability is well known in black hat circles by now.
For everyone who wants to patch their system right away, I have provided patched files for OpenX and Revive on my blog:
As last time, I do not want to explain publicly in detail how to exploit the vulnerability, but maintainers of the master repository can contact me privately if they need more information.
Fixed several SQL injection vulnerabilities.
Florian, please remove everything that could help a person with bad intentions (including from your blog and your pull request) and contact us by e-mail at firstname.lastname@example.org
Neither the pull request nor the blog post contain any instructions as to how exploit the vulnerability. To be sure I removed some additional information from the pull request which explained some changes. An email has been sent.
Hi Flo, thanks for the patch ... but it is still not enough. Take a look at the "format:" condition.
Thanks guys for the input. We're working on testing / fixing and I'd expect a release very soon.
Hi hwde, thanks for the hint... but I'm afraid I do not see the issue with the patched format condition. It's probably best not to discuss this in public, so can you send me some more detailed information to florian.sander at checkpanel.com? Better include security at revive-adserver.com as well since Matteo is working on the official patch right now.
Thanks for the patches for OpenX 2.8.11 Florian.
Fixed in 3.0.2