Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix h1 report 99452
Cross-Site Request Forgery (CSRF)
---------------------------------

An undisclosed user has reported via HackerOne that the password recovery form
in Revive Adserver was vulnerable to CSRF attacks. Such vulnerability could be
exploited to send a large number of password recovery emails to the
registered users, especially in conjunction with a bug that caused recovery
emails to be sent to all the users at once. Both issues have been fixed.

A CVE-ID has been requested, but not assigned yet.

CWE: CWE-352
CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
  • Loading branch information
mbeccati committed Mar 1, 2016
1 parent 8d8c6df commit 3aaebcc
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions lib/OA/Admin/PasswordRecovery.php
Expand Up @@ -99,6 +99,8 @@ function handleGet($vars)
*/
function handlePost($vars)
{
OA_Permission::checkSessionToken();

$this->pageHeader();
if (empty($vars['id'])) {
if (empty($vars['email'])) {
Expand Down Expand Up @@ -152,6 +154,8 @@ function displayRecoveryRequestForm($errormessage = '')

echo "<form method='post' action='password-recovery.php'>\n";

echo "<input type='hidden' name='token' value='".phpAds_SessionGetToken()."'/>\n";

echo "<div class='install'>".$GLOBALS['strPwdRecEnterEmail']."</div>";
echo "<table cellpadding='0' cellspacing='0' border='0'>";
echo "<tr><td colspan='2'><img src='" . OX::assetPath() . "/images/break-el.gif' width='400' height='1' vspace='8'></td></tr>";
Expand All @@ -177,6 +181,7 @@ function displayRecoveryResetForm($id, $errormessage = '')

echo "<form method='post' action='password-recovery.php'>\n";
echo "<input type='hidden' name='id' value=\"".htmlspecialchars($id)."\" />";
echo "<input type='hidden' name='token' value='".phpAds_SessionGetToken()."'/>\n";

echo "<div class='install'>".$GLOBALS['strPwdRecEnterPassword']."</div>";
echo "<table cellpadding='0' cellspacing='0' border='0'>";
Expand Down

0 comments on commit 3aaebcc

Please sign in to comment.