Permalink
Browse files

Fix h1 report 175626

Deserialization of Untrusted Data
---------------------------------

HackerOne user Nicolas Grégoire - Agarri has reported that Revive Adserver
was unserializing untrusted data submitted via cookies in the delivery
scripts. An attacker could use such vector to either perform generic RCE
attacks (e.g. when a vulnerable PHP version is being used) or,
potentially, application-specific attacks.

CWE-ID: CWE-502

CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
CVSSv3 Base Score: 9.8
CVSSv3 Temporal Score: 8.5
  • Loading branch information...
mbeccati committed Oct 25, 2016
1 parent 83a12b2 commit 05bb9f4d0ec5e3224c53a318e9ecf271bd781bce
Showing with 25 additions and 19 deletions.
  1. +6 −4 lib/max/Delivery/querystring.php
  2. +17 −13 www/delivery_dev/afr.php
  3. +2 −2 www/delivery_dev/avw.php
@@ -71,10 +71,12 @@ function MAX_querystringConvertParams()
$n = isset($aGet[$conf['var']['n']]) ? $aGet[$conf['var']['n']] : '';
}
if (!empty($n) && !empty($_COOKIE[$conf['var']['vars']][$n])) {
$aVars = unserialize(stripslashes($_COOKIE[$conf['var']['vars']][$n]));
foreach ($aVars as $name => $value) {
if (!isset($_GET[$name])) {
$aGet[$name] = $value;
$aVars = json_decode($_COOKIE[$conf['var']['vars']][$n], true);
if (is_array($aVars)) {
foreach ($aVars as $name => $value) {
if (!isset($_GET[$name])) {
$aGet[$name] = $value;
}
}
}
}
@@ -32,20 +32,24 @@
$banner = MAX_adSelect($what, $campaignid, $target, $source, $withtext, $charset, $context, true, $ct0, $loc, $referer);
// Send cookie if needed
if (!empty($banner['html']) && !empty($n)) {
// Send bannerid headers
$cookie = array();
$cookie[$conf['var']['adId']] = $banner['bannerid'];
// Send zoneid headers
if ($zoneid != 0) {
$cookie[$conf['var']['zoneId']] = $zoneid;
if (!empty($n)) {
if (!empty($banner['html'])) {
// Send bannerid headers
$cookie = array();
$cookie[$conf['var']['adId']] = $banner['bannerid'];
// Send zoneid headers
if ($zoneid != 0) {
$cookie[$conf['var']['zoneId']] = $zoneid;
}
// Send source headers
if (!empty($source)) {
$cookie[$conf['var']['channel']] = $source;
}
// Set the cookie
MAX_cookieAdd($conf['var']['vars'] . "[$n]", json_encode($cookie, JSON_UNESCAPED_SLASHES));
} else {
MAX_cookieUnset($conf['var']['vars'] . "[$n]");
}
// Send source headers
if (!empty($source)) {
$cookie[$conf['var']['channel']] = $source;
}
// Set the cookie
MAX_cookieAdd($conf['var']['vars'] . "[$n]", serialize($cookie));
}
MAX_cookieFlush();
@@ -84,7 +84,7 @@
MAX_Delivery_log_logAdImpression($row['bannerid'], $zoneid);
}
// Redirect to the banner
MAX_cookieAdd($conf['var']['vars'] . "[$n]", serialize($cookie));
MAX_cookieAdd($conf['var']['vars'] . "[$n]", json_encode($cookie, JSON_UNESCAPED_SLASHES));
MAX_cookieFlush();
if ($row['bannerid'] == '') {
if ($row['default_banner_image_url'] != '') {
@@ -98,7 +98,7 @@
MAX_redirect($creativeURL);
}
} else {
MAX_cookieAdd($conf['var']['vars'] . "[$n]", 'DEFAULT');
MAX_cookieUnset($conf['var']['vars'] . "[$n]");
MAX_cookieFlush();
// Show 1x1 Gif, to ensure not broken image icon is shown.
MAX_commonDisplay1x1();

0 comments on commit 05bb9f4

Please sign in to comment.