Fix CVE-2015-7364

mbeccati · mbeccati · commit 288f81cc4d69 · 2015-10-06T12:52:59.000+02:00
Cross-Site Request Forgery (CSRF)
---------------------------------

Abdullah Hussam Gazi discovered that the CSRF protection mechanism introduced
a few years ago to secure the forms generated with the HTML_Quickform library
(most fo the forms in Revive Adserver's admin UI) could be easily bypassed by
sending an empty token along with the POST data. The range of malicious actions
include, but is not limited to, modifying entities like banners and zones and
altering preferences and settings.

CWE: CWE-352
CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
diff --git a/lib/OA/Admin/UI/component/Form.php b/lib/OA/Admin/UI/component/Form.php
@@ -125,8 +125,11 @@ function __construct($formName='', $method='POST', $action='', $target='', $attr
         //trim spaces from all data sent by the user
         $this->applyFilter('__ALL__', 'trim');
 
-        $this->addElement('hidden', 'token', phpAds_SessionGetToken());
-        $this->addRule('token', 'Invalid request token', 'callback', 'phpAds_SessionValidateToken');
+        if (!defined('phpAds_installing')) {
+            $this->addElement('hidden', 'token', phpAds_SessionGetToken());
+            $this->addRule('token', 'Missing request token', 'required');
+            $this->addRule('token', 'Invalid request token', 'callback', 'phpAds_SessionValidateToken');
+        }
     }
 
     function validate()
@@ -136,7 +139,7 @@ function validate()
         if (!$ret) {
             // The form returned an error. We need to generate a new CSRF token, in any.
             $token = $this->getElement('token');
-            if (!empty($token)) {
+            if (!empty($token) && !PEAR::isError($token)) {
                 $token->setValue(phpAds_SessionGetToken());
             }
         }
diff --git a/lib/pear/HTML/QuickForm/Renderer/Array.php b/lib/pear/HTML/QuickForm/Renderer/Array.php
@@ -225,13 +225,16 @@ function renderElement(&$element, $required, $error)
     } // end func renderElement
 
 
-    function renderHidden(&$element)
+    function renderHidden(&$element, $required, $error)
     {
         if ($this->_collectHidden) {
             $this->_ary['hidden'] .= $element->toHtml() . "\n";
         } else {
             $this->renderElement($element, false, null);
         }
+        if (!empty($error)) {
+            $this->_ary['errors'][$elAry['name']] = $error;
+        }
     } // end func renderHidden
 
 
diff --git a/lib/pear/HTML/QuickForm/hidden.php b/lib/pear/HTML/QuickForm/hidden.php
@@ -79,12 +79,14 @@ function freeze()
     * Accepts a renderer
     *
     * @param HTML_QuickForm_Renderer    renderer object
+    * @param bool                       Whether an element is required
+    * @param string                     An error message associated with an element
     * @access public
     * @return void
     */
-    function accept(&$renderer)
+    function accept(&$renderer, $required=false, $error=null)
     {
-        $renderer->renderHidden($this);
+        $renderer->renderHidden($this, $required, $error);
     } // end func accept
 
     // }}}

Original file line number	Diff line number	Diff line change
`@@ -225,13 +225,16 @@ function renderElement(&$element, $required, $error)`
`225`	`225`	`} // end func renderElement`
`226`	`226`
`227`	`227`
`228`		`- function renderHidden(&$element)`
	`228`	`+ function renderHidden(&$element, $required, $error)`
`229`	`229`	`{`
`230`	`230`	`if ($this->_collectHidden) {`
`231`	`231`	`$this->_ary['hidden'] .= $element->toHtml() . "\n";`
`232`	`232`	`} else {`
`233`	`233`	`$this->renderElement($element, false, null);`
`234`	`234`	`}`
	`235`	`+ if (!empty($error)) {`
	`236`	`+ $this->_ary['errors'][$elAry['name']] = $error;`
	`237`	`+ }`
`235`	`238`	`} // end func renderHidden`
`236`	`239`
`237`	`240`