Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix h1 report 1083376
  • Loading branch information
mbeccati committed Jan 23, 2021
1 parent e2a67ce commit 6f46076
Show file tree
Hide file tree
Showing 6 changed files with 15 additions and 13 deletions.
3 changes: 3 additions & 0 deletions RELEASE_NOTES.txt
Expand Up @@ -26,6 +26,9 @@ What's New in Revive Adserver 5.1.1
* Fixed reflected XSS vulnerability in userlog-index.php via the
period_preset parameter.

* Fixed reflected XSS vulnerability in stats.php via the setPerPage
parameter.


New Features
------------
Expand Down
4 changes: 3 additions & 1 deletion lib/OA/Admin/Statistics/Common.php
Expand Up @@ -1193,12 +1193,14 @@ function _loadParams($aMergeArray = null, $clearParams = false)

// Add new params from $_GET/session
foreach ($aVarArray as $k => $v) {
$this->aPageParams[$v] = htmlspecialchars(MAX_getStoredValue($v, ''));
$this->aPageParams[$v] = htmlspecialchars(MAX_getStoredValue($v, ''), ENT_QUOTES);
}

// Ensure the setPerPage value is set
if (empty($this->aPageParams['setPerPage'])) {
$this->aPageParams['setPerPage'] = 15;
} else {
$this->aPageParams['setPerPage'] = (int) $this->aPageParams['setPerPage'];
}

// Merge params with optional array, if required
Expand Down
2 changes: 1 addition & 1 deletion lib/OA/Admin/Statistics/Delivery/CommonHistory.php
Expand Up @@ -164,7 +164,7 @@ function prepare(&$aParams, $link = '')
if ($use_pager) {
$params = array(
'itemData' => $stats,
'perPage' => htmlspecialchars(MAX_getStoredValue('setPerPage', $per_page)),
'perPage' => (int) MAX_getStoredValue('setPerPage', $per_page),
'delta' => 8,
'append' => true,
'clearIfVoid' => false,
Expand Down
4 changes: 2 additions & 2 deletions www/admin/connections-modify.php
Expand Up @@ -41,8 +41,8 @@
$hour = MAX_getValue('hour');
$returnurl = MAX_getValue('returnurl');
$statusIds = MAX_getValue('statusIds');
$pageID = MAX_getValue('pageID');
$setPerPage = MAX_getValue('setPerPage');
$pageID = (int) MAX_getValue('pageID');
$setPerPage = (int) MAX_getValue('setPerPage', 15);

$aParams = array();

Expand Down
9 changes: 3 additions & 6 deletions www/admin/stats-conversions.php
Expand Up @@ -36,8 +36,8 @@
$day = MAX_getStoredValue('day', null, 'stats-conversions.php');
$howLong = MAX_getStoredValue('howLong', 'd');
$hour = MAX_getStoredValue('hour', null, 'stats-conversions.php', true);
$setPerPage = MAX_getStoredValue('setPerPage', 15);
$pageID = MAX_getStoredValue('pageID', 1);
$setPerPage = (int) MAX_getStoredValue('setPerPage', 15);
$pageID = (int) MAX_getStoredValue('pageID', 1);

if (!empty($day)) {
// Reset period
Expand Down Expand Up @@ -225,7 +225,7 @@


$aParams['totalItems'] = count($aConversions);
$aParams['perPage'] = MAX_getStoredValue('setPerPage', 15);
$aParams['perPage'] = (int) MAX_getStoredValue('setPerPage', 15);

if (!isset($pageID) || $pageID == 1) {
$aParams['startRecord'] = 0;
Expand All @@ -238,9 +238,6 @@
$aConversions = Admin_DA::fromCache('getConversions', $aParams + $aDates);


$aParams['perPage'] = MAX_getStoredValue('setPerPage', 15);
//$aParams['startRecord'] = $_REQUEST['page'];

$pager = & Pager::factory($aParams);
$per_page = $pager->_perPage;
$pager->history = $pager->getPageData();
Expand Down
6 changes: 3 additions & 3 deletions www/admin/userlog-index.php
Expand Up @@ -88,8 +88,8 @@
$orderdirection = 'up';
}
}
$setPerPage = MAX_getStoredValue('setPerPage', 10);
$pageID = MAX_getStoredValue('pageID', 1);
$setPerPage = (int) MAX_getStoredValue('setPerPage', 10);
$pageID = (int) MAX_getStoredValue('pageID', 1);

// Setup date selector
$aPeriod = array(
Expand Down Expand Up @@ -205,7 +205,7 @@
$aParams['startRecord'] = 0;
}

$aParams['perPage'] = MAX_getStoredValue('setPerPage', 10);
$aParams['perPage'] = (int) MAX_getStoredValue('setPerPage', 10);

// Retrieve audit details
$aAuditData = $oUserlog->getAuditLog($aParams);
Expand Down

0 comments on commit 6f46076

Please sign in to comment.