Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Fix h1 report 175626
Deserialization of Untrusted Data
---------------------------------
HackerOne user Nicolas Grégoire - Agarri has reported that Revive Adserver
was unserializing untrusted data submitted via cookies in the delivery
scripts. An attacker could use such vector to either perform generic RCE
attacks (e.g. when a vulnerable PHP version is being used) or,
potentially, application-specific attacks.
CWE-ID: CWE-502
CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
CVSSv3 Base Score: 9.8
CVSSv3 Temporal Score: 8.5
Loading branch information
Showing
3 changed files
with
25 additions
and
19 deletions .
+6
−4
lib/max/Delivery/querystring.php
+17
−13
www/delivery_dev/afr.php
+2
−2
www/delivery_dev/avw.php
@@ -71,10 +71,12 @@ function MAX_querystringConvertParams()
$ nisset ($ aGet$ conf'var' ]['n' ]]) ? $ aGet$ conf'var' ]['n' ]] : '' ;
}
if (!empty ($ nempty ($ _COOKIE $ conf'var' ]['vars' ]][$ n
$ aVarsunserialize (stripslashes ($ _COOKIE $ conf'var' ]['vars' ]][$ n
foreach ($ aVarsas $ name$ value
if (!isset ($ _GET $ name
$ aGet$ name$ value
$ aVarsjson_decode ($ _COOKIE $ conf'var' ]['vars' ]][$ ntrue );
if (is_array ($ aVars
foreach ($ aVarsas $ name$ value
if (!isset ($ _GET $ name
$ aGet$ name$ value
}
}
}
}
@@ -32,20 +32,24 @@
$ bannerMAX_adSelect $ what$ campaignid$ target$ source$ withtext$ charset$ contexttrue , $ ct0$ loc$ referer
// Send cookie if needed
if (!empty ($ banner'html' ]) && !empty ($ n
// Send bannerid headers
$ cookiearray ();
$ cookie$ conf'var' ]['adId' ]] = $ banner'bannerid' ];
// Send zoneid headers
if ($ zoneid0 ) {
$ cookie$ conf'var' ]['zoneId' ]] = $ zoneid
if (!empty ($ n
if (!empty ($ banner'html' ])) {
// Send bannerid headers
$ cookiearray ();
$ cookie$ conf'var' ]['adId' ]] = $ banner'bannerid' ];
// Send zoneid headers
if ($ zoneid0 ) {
$ cookie$ conf'var' ]['zoneId' ]] = $ zoneid
}
// Send source headers
if (!empty ($ source
$ cookie$ conf'var' ]['channel' ]] = $ source
}
// Set the cookie
MAX_cookieAdd $ conf'var' ]['vars' ] . "[$n]" , json_encode ($ cookieJSON_UNESCAPED_SLASHES ));
} else {
MAX_cookieUnset $ conf'var' ]['vars' ] . "[$n]" );
}
// Send source headers
if (!empty ($ source
$ cookie$ conf'var' ]['channel' ]] = $ source
}
// Set the cookie
MAX_cookieAdd $ conf'var' ]['vars' ] . "[$n]" , serialize ($ cookie
}
MAX_cookieFlush
@@ -84,7 +84,7 @@
MAX_Delivery_log_logAdImpression $ row'bannerid' ], $ zoneid
}
// Redirect to the banner
MAX_cookieAdd $ conf'var' ]['vars' ] . "[$n]" , serialize ($ cookie
MAX_cookieAdd $ conf'var' ]['vars' ] . "[$n]" , json_encode ($ cookie, JSON_UNESCAPED_SLASHES ));
MAX_cookieFlush
if ($ row'bannerid' ] == '' ) {
if ($ row'default_banner_image_url' ] != '' ) {
@@ -98,7 +98,7 @@
MAX_redirect $ creativeURL
}
} else {
MAX_cookieAdd $ conf'var' ]['vars' ] . "[$n]" , 'DEFAULT' );
MAX_cookieUnset $ conf'var' ]['vars' ] . "[$n]" );
MAX_cookieFlush
// Show 1x1 Gif, to ensure not broken image icon is shown.
MAX_commonDisplay1x1
Toggle all file notes
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session.
You signed out in another tab or window. Reload to refresh your session.
