Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix h1 report 97123
Cross-Site Request Forgery (CSRF)
---------------------------------

The HackerOne user @decidedlygray has reported a number of scripts in Revive
Adserver's user interface that were vulnerable to CSRF attacks:

- www/admin/banner-acl.php
- www/admin/banner-activate.php
- www/admin/banner-advanced.php
- www/admin/banner-modify.php
- www/admin/banner-swf.php
- www/admin/banner-zone.php
- www/admin/tracker-modify.php

A CVE-ID has been requested, but not assigned yet.

CWE: CWE-352
CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
  • Loading branch information
mbeccati committed Mar 1, 2016
1 parent f688033 commit 65a9c81
Show file tree
Hide file tree
Showing 7 changed files with 30 additions and 16 deletions.
2 changes: 2 additions & 0 deletions www/admin/banner-acl.php
Expand Up @@ -48,6 +48,8 @@
if (!empty($action)) {
$acl = MAX_AclAdjust($acl, $action);
} elseif (!empty($submit)) {
OA_Permission::checkSessionToken();

$acl = (isset($acl)) ? $acl : array();

// Only save when inputs are valid
Expand Down
2 changes: 2 additions & 0 deletions www/admin/banner-activate.php
Expand Up @@ -36,6 +36,8 @@
OA_Permission::enforceAccessToObject('campaigns', $campaignid);
OA_Permission::enforceAccessToObject('banners', $bannerid, true);

OA_Permission::checkSessionToken();

if (OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER)) {
if ($value == OA_ENTITY_STATUS_RUNNING) {
OA_Permission::enforceAllowed(OA_PERM_BANNER_ACTIVATE);
Expand Down
35 changes: 19 additions & 16 deletions www/admin/banner-advanced.php
Expand Up @@ -39,23 +39,26 @@
/*-------------------------------------------------------*/

if (isset($submitbutton)) {
if (isset($bannerid) && $bannerid != '') {
// Update banner
$doBanners = OA_Dal::factoryDO('banners');
$doBanners->get($bannerid);
$doBanners->prepend = $prepend;
$doBanners->append = $append;
$doBanners->update();

// Queue confirmation message
$translation = new OX_Translation();
$translated_message = $translation->translate($GLOBALS['strBannerAdvancedHasBeenUpdated'], array(
MAX::constructURL(MAX_URL_ADMIN, 'banner-edit.php?clientid=' . $clientid . '&campaignid=' . $campaignid . '&bannerid=' . $bannerid),
htmlspecialchars($doBanners->description)
));
OA_Admin_UI::queueMessage($translated_message, 'local', 'confirm', 0);
}
OA_Permission::checkSessionToken();

// Update banner
$doBanners = OA_Dal::factoryDO('banners');
$doBanners->get($bannerid);
$doBanners->prepend = $prepend;
$doBanners->append = $append;
$doBanners->update();

// Queue confirmation message
$translation = new OX_Translation();
$translated_message = $translation->translate($GLOBALS['strBannerAdvancedHasBeenUpdated'], array(
MAX::constructURL(MAX_URL_ADMIN, 'banner-edit.php?clientid=' . $clientid . '&campaignid=' . $campaignid . '&bannerid=' . $bannerid),
htmlspecialchars($doBanners->description)
));

OA_Admin_UI::queueMessage($translated_message, 'local', 'confirm', 0);

header ("Location: banner-advanced.php?clientid=".$clientid."&campaignid=".$campaignid."&bannerid=".$bannerid);
exit;
}

/*-------------------------------------------------------*/
Expand Down
1 change: 1 addition & 0 deletions www/admin/banner-modify.php
Expand Up @@ -31,6 +31,7 @@
// Security check
OA_Permission::enforceAccount(OA_ACCOUNT_MANAGER);

OA_Permission::checkSessionToken();

/*-------------------------------------------------------*/
/* Main code */
Expand Down
2 changes: 2 additions & 0 deletions www/admin/banner-swf.php
Expand Up @@ -35,6 +35,8 @@
OA_Permission::enforceAccessToObject('campaigns', $campaignid);
OA_Permission::enforceAccessToObject('banners', $bannerid);

OA_Permission::checkSessionToken();

if (OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER)) {
OA_Permission::enforceAllowed(OA_PERM_BANNER_EDIT);
}
Expand Down
2 changes: 2 additions & 0 deletions www/admin/banner-zone.php
Expand Up @@ -31,6 +31,8 @@
OA_Permission::enforceAccessToObject('campaigns', $campaignid);
OA_Permission::enforceAccessToObject('banners', $bannerid);

OA_Permission::checkSessionToken();

/*-------------------------------------------------------*/
/* Store preferences */
/*-------------------------------------------------------*/
Expand Down
2 changes: 2 additions & 0 deletions www/admin/tracker-modify.php
Expand Up @@ -38,6 +38,8 @@

if (!empty($trackerid))
{
OA_Permission::checkSessionToken();

if (!empty($moveto))
{
// Delete any campaign-tracker links
Expand Down

0 comments on commit 65a9c81

Please sign in to comment.