Introduction to Revive Adserver

Revive Adserver is a free open source ad serving system formerly known as OpenX Source. Revive Adserver and all of its predecessors have been around since 1998, and many developers have worked on the code since the start of the project. Unsafe code may have slipped in as a result.

There are thousands of known installations of Revive Adserver worldwide. Since ad servers typically interact with many internet users, they are an interesting target for people with bad intentions, for example to spread malicious code that is added to advertisements.

Being hacked is not the same as having found a vulnerability!

Very often, what people believe to be security vulnerabilities, turn out to be cases of (unauthorized) access to an installation through password guessing, social engineering or (sadly) simply using extremely weak passwords, or other methods not related to the code at all.

If your own ad server installation has been compromised, do not report it here! This program is only for reporting security vulnerabilities you have discovered in our code.

Read these important rules

• IMPORTANT: DO NOT TEST revive-adserver.com. Do not test an instance of Revive Adserver that you do not own. This includes any existing instance you might find anywhere on the web. If you report an issue against an instance you do not own, it will not be accepted. Instead, install your own instance of Revive Adserver. This will let you test the Revive Adserver software without disrupting others.

• IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY. Do not report configuration issues with revive-adserver.com etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the Revive Adserver software itself. For instructions on installing your own instance of Revive Adserver, see the Installation Guide. Please make sure you study the Technical Requirements first.

• Report issue only in relation to copies of the software you've downloaded from the Revive Adserver website. Please do not test a git clone or github tarball as it will contain files and tools used for testing and packaging that are not expected to be deployed on a production server.

• Report issues only in relation to the most recently released version of our software. If you've found an issue in an older version, it is possible that it has already been reported and fixed. Carefully study our Security Advisories before reporting any issues. If you're using an older version of the software, please upgrade first, then test again.

• We receive many reports from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word "Cricetinae" somewhere in the first paragraph of your report. If you do not, your report will be closed as invalid automatically, which may reflect on your reputation.

Requirements

• Test on your own installation. We're open source, so grab a copy from our site and install it on your own server.

• Be clear. We totally get that you're not paid to do this. Here's a coincidence, neither are we! There's no huge corporate benefactor behind Revive Adserver, so we're not in a position to spend our precious time on this planet to decipher your report. You spent the time finding the issue, so please spend an extra 2 minutes to spell out what you're able to do with it so we can easily understand the severity of the issue. Please provide specific and exact examples and steps to reproduce. Please consider if you can give us access to your installation if you think it might help us to study your report.

• Be responsible. We're here because we want to know vulnerabilities before the world does, so we have a chance to provide a solution in a reasonable time frame. We assume you're here for the same. Report issues directly to us here. Do not publicly disclose anything before we've been in touch with you.

• Vulnerabilities in third-party plugins for Revive Adserver should not be reported here, you should contact the author of the code or product.

Levels of Severity

• Critical: someone with no access is able to inject code/malware to be distributed by the delivery engine of a Revive Adserver instance. This includes getting unauthorized user interface access to the instance. This is a huge deal and we will be all over it.

• Important: someone with no access can do something that might impact someone who does have access, but cannot distribute malware via the delivery engine.

• Moderate: someone who already has a restricted UI access (i.e. not admin) can do something they shouldn't. Typically it's SQL injection or cross site scripting vulnerabilities but they require you already to have access to the ad management user interface. Being able to get a level of access greater than what you are supposed to have would likely graduate a vulnerability into a critical issue.

• Minor: something that's less than ideal, but can't be used to do anything nefarious today. Things that only impact the browsing experience of the attacker or that are unlikely/hard to be exploited very likely fall into this category.

If you've found any issue with our code that you consider to be a bug, but which has no security impact, please do not report it here! Instead, open an issue on our Github project.

Bounty program

The Revive Adserver project is open source and, alas, has no budget for a proper bounty program.

Response

• We will try to respond to your reports within 72 hours.

• We will fix security issues within a reasonable timeline, based on the severity as determined after triage.

• We've got lots of honor for those who submit issues related to our software, but no cash. And we truly believe in recognizing the work of others.

File your report

Now that you've read the policy and instructions above, please go ahead and report the issue you discovered.

Acknowledgement

Large parts of the text above have been copied almost verbatim from Phabricator and concrete5, if you have extra time to give, those are great place to give it!