Skip to content
Permalink
Browse files

Fix h1 report 128181

Special Element Injection
-------------------------

Joel Noguera has reported via HackerOne that usernames weren't properly
sanitised when creating users on a Revive Adserver instance. Especially,
control characters were not filtered, allowing apparently identical
usernames to co-exist in the system, due to the fact that such characters
are normally ignored when an HTML page is displayed in a browser.
The issue could have therefore been exploited for user spoofing, although
elevated privileges are required to create users within Revive Adserver.

CWE: CWE-75
CVSSv2: 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)

CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
CVSSv3 Base Score: 3.1
CVSSv3 Temporal Score: 2.7
  • Loading branch information...
mbeccati committed Sep 26, 2016
1 parent 69aacbd commit 05b1eceb39d241e26ee3b4e41df7ca04edfdba89
Showing with 5 additions and 1 deletion.
  1. +5 −1 lib/OA/Admin/UI/UserAccess.php
@@ -81,7 +81,11 @@ function setNavigationFooterCallback($callback)
function process()
{
if (!empty($this->request['submit'])) {
$this->aErrors = $this->oPlugin->validateUsersData($this->request);
if (preg_match('#[\x00-\x1F\x7F]#', $this->request['login'])) {
$this->aErrors = array($GLOBALS['strInvalidUsername']);
} else {
$this->aErrors = $this->oPlugin->validateUsersData($this->request);
}
if (empty($this->aErrors)) {
$this->userid = $this->oPlugin->saveUser(
$this->userid, $this->request['login'], $this->request['passwd'],

0 comments on commit 05b1ece

Please sign in to comment.
You can’t perform that action at this time.