Skip to content
Permalink
Browse files

Fix h1 report 97123

Cross-Site Request Forgery (CSRF)
---------------------------------

The HackerOne user @decidedlygray has reported a number of scripts in Revive
Adserver's user interface that were vulnerable to CSRF attacks:

- www/admin/banner-acl.php
- www/admin/banner-activate.php
- www/admin/banner-advanced.php
- www/admin/banner-modify.php
- www/admin/banner-swf.php
- www/admin/banner-zone.php
- www/admin/tracker-modify.php

A CVE-ID has been requested, but not assigned yet.

CWE: CWE-352
CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
  • Loading branch information...
mbeccati committed Nov 20, 2015
1 parent f688033 commit 65a9c8119b4bc7493fd957e1a8d6f6f731298b45
@@ -48,6 +48,8 @@
if (!empty($action)) {
$acl = MAX_AclAdjust($acl, $action);
} elseif (!empty($submit)) {
OA_Permission::checkSessionToken();
$acl = (isset($acl)) ? $acl : array();
// Only save when inputs are valid
@@ -36,6 +36,8 @@
OA_Permission::enforceAccessToObject('campaigns', $campaignid);
OA_Permission::enforceAccessToObject('banners', $bannerid, true);
OA_Permission::checkSessionToken();
if (OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER)) {
if ($value == OA_ENTITY_STATUS_RUNNING) {
OA_Permission::enforceAllowed(OA_PERM_BANNER_ACTIVATE);
@@ -39,23 +39,26 @@
/*-------------------------------------------------------*/
if (isset($submitbutton)) {
if (isset($bannerid) && $bannerid != '') {
// Update banner
$doBanners = OA_Dal::factoryDO('banners');
$doBanners->get($bannerid);
$doBanners->prepend = $prepend;
$doBanners->append = $append;
$doBanners->update();
// Queue confirmation message
$translation = new OX_Translation();
$translated_message = $translation->translate($GLOBALS['strBannerAdvancedHasBeenUpdated'], array(
MAX::constructURL(MAX_URL_ADMIN, 'banner-edit.php?clientid=' . $clientid . '&campaignid=' . $campaignid . '&bannerid=' . $bannerid),
htmlspecialchars($doBanners->description)
));
OA_Admin_UI::queueMessage($translated_message, 'local', 'confirm', 0);
}
OA_Permission::checkSessionToken();
// Update banner
$doBanners = OA_Dal::factoryDO('banners');
$doBanners->get($bannerid);
$doBanners->prepend = $prepend;
$doBanners->append = $append;
$doBanners->update();
// Queue confirmation message
$translation = new OX_Translation();
$translated_message = $translation->translate($GLOBALS['strBannerAdvancedHasBeenUpdated'], array(
MAX::constructURL(MAX_URL_ADMIN, 'banner-edit.php?clientid=' . $clientid . '&campaignid=' . $campaignid . '&bannerid=' . $bannerid),
htmlspecialchars($doBanners->description)
));
OA_Admin_UI::queueMessage($translated_message, 'local', 'confirm', 0);
header ("Location: banner-advanced.php?clientid=".$clientid."&campaignid=".$campaignid."&bannerid=".$bannerid);
exit;
}
/*-------------------------------------------------------*/
@@ -31,6 +31,7 @@
// Security check
OA_Permission::enforceAccount(OA_ACCOUNT_MANAGER);
OA_Permission::checkSessionToken();
/*-------------------------------------------------------*/
/* Main code */
@@ -35,6 +35,8 @@
OA_Permission::enforceAccessToObject('campaigns', $campaignid);
OA_Permission::enforceAccessToObject('banners', $bannerid);
OA_Permission::checkSessionToken();
if (OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER)) {
OA_Permission::enforceAllowed(OA_PERM_BANNER_EDIT);
}
@@ -31,6 +31,8 @@
OA_Permission::enforceAccessToObject('campaigns', $campaignid);
OA_Permission::enforceAccessToObject('banners', $bannerid);
OA_Permission::checkSessionToken();
/*-------------------------------------------------------*/
/* Store preferences */
/*-------------------------------------------------------*/
@@ -38,6 +38,8 @@
if (!empty($trackerid))
{
OA_Permission::checkSessionToken();
if (!empty($moveto))
{
// Delete any campaign-tracker links

0 comments on commit 65a9c81

Please sign in to comment.
You can’t perform that action at this time.