Revive Adserver SQL Injection Vulnerability in Admin Search Functionality

A SQL injection vulnerability has been identified in Revive Adserver version 6.0.0. The issue arises in the administrative search feature, specifically within the 'admin-search.php' file. The vulnerability allows authenticated users to send specially crafted payloads that could disrupt operations or facilitate unauthorized access to information. This flaw is rooted in improper input validation, as user-controlled data is directly incorporated into SQL queries without adequate sanitization or parameterization.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL commands through the vulnerable 'keyword' parameter. This could lead to unauthorized data access, modification or deletion of database information, execution of privileged commands on the database server, and potential escalation to more severe attack vectors through data exfiltration.

Reproduction

To reproduce this vulnerability, log into Revive Adserver 6.0.0 as a user with administrative privileges. Navigate to the admin search page and intercept the request using Burp Suite. The 'keyword' parameter can be replaced with a payload that exploits the SQL injection vulnerability, such as one that uses MySQL's EXTRACTVALUE or SLEEP functions. After sending the request, the injected SQL payload will be executed, demonstrating the vulnerability.

Remediation

Users can update to Revive Adserver version 6.0.1, which addresses this vulnerability by properly sanitizing the 'keyword' parameter before it is used in database queries. The patch is available as part of the official release.