Full Disclosure mailing list archives
[REVIVE-SA-2025-002] Revive Adserver Vulnerability
From: Matteo Beccati <php () beccati com>
Date: Fri, 24 Oct 2025 14:10:18 +0200
======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-002 ------------------------------------------------------------------------ https://www.revive-adserver.com/security/revive-sa-2025-002 ------------------------------------------------------------------------ Date: 2025-10-24 Risk Level: High Applications affected: Revive Adserver Versions affected: 6.0.0 Versions not affected: >= 6.0.1 Website: https://www.revive-adserver.com/ ======================================================================== ======================================================================== Vulnerability: SQL injection ======================================================================== Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89] CVE-ID: CVE-2025-52664 CVSS Base Score: 8.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ======================================================================== Description -----------HackerOne community member Mahmoud Khaled Kanon (https://github.com/Kanon4) has reported an SQL injection vulnerability in the admin-search.php script. An attacker can craft a specific URL that includes an SQL payload in the “keyword” parameter. The script requires manager-level authentication for the injection to happen and the usage of a MySQL backend. This issue affects Revive Adserver v6.0.0 only.
Details -------The “keyword” GET/POST parameter sent to the admin-search.php script is used in the `matchPattern()` method of the underlying PEAR MDB2 library, which is now largely unmaintained. The method was applying the necessary levels of escaping in the wrong order, resulting in single quotes being escaped twice when using a MySQL backend, effectively inserting a backslash character instead of escaping each single quote in the input. The result was causing a vulnerability to two types attacks:
* Error-based injection using MySQL’s EXTRACTVALUE function * Time-based blind injection using MySQL’s SLEEP functionAn attacker with manager-level permissions can access the page, submit malicious queries and gather some results either via the error message or using SLEEP and verifying response times.
Alternatively blind attacks could be performed by tricking a logged in administrator/manager user into visiting specifically crafted URLs. Attack vectors are currently just proof of concept, at it is unknown what kind of information could be extracted or disrupted using such methods.
References ---------- https://hackerone.com/reports/3395221 https://github.com/revive-adserver/revive-adserver/commit/ffbc74d https://cwe.mitre.org/data/definitions/89.html ======================================================================== Solution ========================================================================We recommend updating to the most recent 6.0.1 version of Revive Adserver, or whatever happens to be the current release at the time of reading this security advisory.
======================================================================== Contact Information ======================================================================== The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>. Please review https://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team https://www.revive-adserver.com/
Attachment:
OpenPGP_0x819BAF32F410D901.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- [REVIVE-SA-2025-002] Revive Adserver Vulnerability Matteo Beccati (Oct 25)