Skip to content
Permalink
Browse files

Fix other CSRF issues

Cross-Site Request Forgery (CSRF)
---------------------------------

Following a number of CSRF reports, the Revive Team has conducted a security
audit of the admin interface scripts in order to identify and fix other
potential CSRF vulnerabilities.

The effort led to fixing 20+ such issues: please see the commit for the full
list of files affected.

A CVE-ID has been requested, but not assigned yet.

CWE: CWE-352
CVSSv2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
  • Loading branch information...
mbeccati committed Jan 28, 2016
1 parent 65a9c81 commit e563ca61e4f3b7210cb61f53284adaa8aef4a49a
@@ -119,6 +119,8 @@ function init($templateName)
*/
$this->register_function('rv_add_session_token', array('OA_Admin_Template', '_add_session_token'));
// Also assign a template variable for other usages
$this->assign("csrfToken", phpAds_SessionGetToken());
}
/**
@@ -46,6 +46,7 @@ function __construct()
{
$this->_useDefaultDal();
$this->csrf_token = phpAds_SessionGetToken();
$this->advertiser_id = MAX_getValue('clientid', 0);
$this->tracker_id = MAX_getValue('trackerid', 0);
$this->assetPath = OX::assetPath();
@@ -13,7 +13,7 @@
function MMM_trackerAction(action, id)
{
var f = document.getElementById('trackerAppendForm');
f.t_action.value = action;
f.t_id.value = id;
f.submit();
@@ -26,6 +26,7 @@
<span class='tab-s'>You have unsaved changes on this page, make sure you press &quot;Save Changes&quot; when finished</span><br>
</div>
<form id="trackerAppendForm" class="section" method="post">
<input type="hidden" name="token" value="{csrf_token}" />
<input type="hidden" name="clientid" value="{advertiser_id}" />
<input type="hidden" name="trackerid" value="{tracker_id}" />
<input type="hidden" name="t_action" />
@@ -1147,6 +1147,7 @@ function MAX_displayAcls($acls, $aParams)
$conf = $GLOBALS['_MAX']['CONF'];
echo "<form action='{$page}' method='post'>";
echo "<input type='hidden' name='token' value='".urlencode(phpAds_SessionGetToken())."' />";
echo "<label><img src='" . OX::assetPath() . "/images/icon-acl-add.gif' align='absmiddle'>&nbsp;". $GLOBALS['strACLAdd'] .": &nbsp;";
echo "<select name='type' accesskey='{$GLOBALS['keyAddNew']}' tabindex='".($tabindex++)."'>";
@@ -1689,11 +1690,14 @@ function addAdvertiserPageToolsAndShortcuts($advertiserId)
function addTrackerPageTools($advertiserId, $trackerId, $aOtherAdvertisers)
{
if (OA_Permission::isAccount(OA_ACCOUNT_ADMIN) || OA_Permission::isAccount(OA_ACCOUNT_MANAGER)) {
$token = phpAds_SessionGetToken();
//duplicate
addPageLinkTool($GLOBALS["strDuplicate"], MAX::constructUrl(MAX_URL_ADMIN, "tracker-modify.php?clientid=".$advertiserId."&trackerid=".$trackerId."&duplicate=true&returnurl=".urlencode(basename($_SERVER['SCRIPT_NAME']))), "iconTrackerDuplicate");
addPageLinkTool($GLOBALS["strDuplicate"], MAX::constructUrl(MAX_URL_ADMIN, "tracker-modify.php?token=".urlencode($token)."&clientid=".$advertiserId."&trackerid=".$trackerId."&duplicate=true&returnurl=".urlencode(basename($_SERVER['SCRIPT_NAME']))), "iconTrackerDuplicate");
//move to
$form = "<form action='" . MAX::constructUrl(MAX_URL_ADMIN, 'tracker-modify.php') . "'>
<input type='hidden' name='token' value='".htmlspecialchars($token, ENT_QUOTES)."'>
<input type='hidden' name='trackerid' value='$trackerId'
<input type='hidden' name='clientid' value='$advertiserId'
<input type='hidden' name='returnurl' value='tracker-edit.php'>
@@ -1706,7 +1710,7 @@ function addTrackerPageTools($advertiserId, $trackerId, $aOtherAdvertisers)
//delete
$deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteTracker']);
addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "tracker-delete.php?token=" . urlencode(phpAds_SessionGetToken()) . "&clientid=".$advertiserId."&trackerid=".$trackerId."&returnurl=advertiser-trackers.php"), "iconDelete", null, $deleteConfirm);
addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "tracker-delete.php?token=".urlencode($token)."&clientid=".$advertiserId."&trackerid=".$trackerId."&returnurl=advertiser-trackers.php"), "iconDelete", null, $deleteConfirm);
addPageShortcut($GLOBALS['strBackToTrackers'], MAX::constructUrl(MAX_URL_ADMIN, "advertiser-trackers.php?clientid=$advertiserId"), "iconBack");
}
}
@@ -1717,13 +1721,17 @@ function addCampaignPageTools($clientid, $campaignid, $aOtherAdvertisers, $aEnti
global $phpAds_TextDirection;
if (!OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER)) {
addPageLinkTool($GLOBALS["strDuplicate"], MAX::constructUrl(MAX_URL_ADMIN, "campaign-modify.php?duplicate=1&clientid=$clientid&campaignid=$campaignid&returnurl=".urlencode(basename($_SERVER['SCRIPT_NAME']))), "iconCampaignDuplicate");
$token = phpAds_SessionGetToken();
addPageLinkTool($GLOBALS["strDuplicate"], MAX::constructUrl(MAX_URL_ADMIN, "campaign-modify.php?token=".urlencode($token)."&duplicate=1&clientid=$clientid&campaignid=$campaignid&returnurl=".urlencode(basename($_SERVER['SCRIPT_NAME']))), "iconCampaignDuplicate");
if (OA_Permission::hasAccessToObject('campaigns', $campaignid, OA_Permission::OPERATION_MOVE)) {
$form = "<form action='" . MAX::constructUrl(MAX_URL_ADMIN, 'campaign-modify.php') . "'>
<input type='hidden' name='token' value='".htmlspecialchars($token, ENT_QUOTES)."'>
<input type='hidden' name='clientid' value='$clientid'>
<input type='hidden' name='campaignid' value='$campaignid'>
<input type='hidden' name='returnurl' value='".htmlspecialchars(basename($_SERVER['SCRIPT_NAME']))."'>
<input type='hidden' name='returnurl' value='".htmlspecialchars(basename($_SERVER['SCRIPT_NAME'], ENT_QUOTES))."'>
<select name='newclientid'>";
$aOtherAdvertisers = _multiSort($aOtherAdvertisers,'name','advertiser_id');
foreach ($aOtherAdvertisers as $aOtherAdvertiser) {
@@ -1740,7 +1748,7 @@ function addCampaignPageTools($clientid, $campaignid, $aOtherAdvertisers, $aEnti
}
$deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteCampaign']);
addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "campaign-delete.php?token=" . urlencode(phpAds_SessionGetToken()) . "&clientid=$clientid&campaignid=$campaignid&returnurl=advertiser-campaigns.php"), "iconDelete", null, $deleteConfirm);
addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "campaign-delete.php?token=".urlencode($token)."&clientid=$clientid&campaignid=$campaignid&returnurl=advertiser-campaigns.php"), "iconDelete", null, $deleteConfirm);
}
//shortcuts
@@ -1761,16 +1769,20 @@ function addCampaignPageTools($clientid, $campaignid, $aOtherAdvertisers, $aEnti
function addBannerPageTools($advertiserId, $campaignId, $bannerId, $aOtherCampaigns, $aOtherBanners, $aEntities)
{
global $phpAds_TextDirection;
if (empty($bannerId)) {
return;
}
global $phpAds_TextDirection;
$token = phpAds_SessionGetToken();
//duplicate
addPageLinkTool($GLOBALS["strDuplicate"], MAX::constructUrl(MAX_URL_ADMIN, "banner-modify.php?duplicate=true&clientid=$advertiserId&campaignid=$campaignId&bannerid=$bannerId&returnurl=".urlencode(basename($_SERVER['SCRIPT_NAME']))), "iconBannerDuplicate");
addPageLinkTool($GLOBALS["strDuplicate"], MAX::constructUrl(MAX_URL_ADMIN, "banner-modify.php?token=".urlencode($token)."&duplicate=true&clientid=$advertiserId&campaignid=$campaignId&bannerid=$bannerId&returnurl=".urlencode(basename($_SERVER['SCRIPT_NAME']))), "iconBannerDuplicate");
//move to
$form = "<form action='" . MAX::constructUrl(MAX_URL_ADMIN, 'banner-modify.php') . "'>
<input type='hidden' name='token' value='".htmlspecialchars($token, ENT_QUOTES)."'>
<input type='hidden' name='clientid' value='$advertiserId'>
<input type='hidden' name='campaignid' value='$campaignId'>
<input type='hidden' name='bannerid' value='$bannerId'>
@@ -1795,6 +1807,7 @@ function addBannerPageTools($advertiserId, $campaignId, $bannerId, $aOtherCampai
//apply to
if (basename($_SERVER['SCRIPT_NAME']) == 'banner-acl.php') {
$form = "<form action='" . MAX::constructUrl(MAX_URL_ADMIN, 'banner-modify.php') . "'>
<input type='hidden' name='token' value='".htmlspecialchars($token, ENT_QUOTES)."'>
<input type='hidden' name='clientid' value='$advertiserId'>
<input type='hidden' name='campaignid' value='$campaignId'>
<input type='hidden' name='bannerid' value='$bannerId'>
@@ -1815,7 +1828,7 @@ function addBannerPageTools($advertiserId, $campaignId, $bannerId, $aOtherCampai
//delete
if (!OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER)) {
$deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteBanner']);
addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "banner-delete.php?token=" . urlencode(phpAds_SessionGetToken()) . "&clientid=$advertiserId&campaignid=$campaignId&bannerid=$bannerId&returnurl=campaign-banners.php"), "iconDelete", null, $deleteConfirm);
addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "banner-delete.php?token=".urlencode($token)."&clientid=$advertiserId&campaignid=$campaignId&bannerid=$bannerId&returnurl=campaign-banners.php"), "iconDelete", null, $deleteConfirm);
}
/* Shortcuts */
@@ -1840,6 +1853,9 @@ function addWebsitePageTools($websiteId)
function addZonePageTools($affiliateid, $zoneid, $aOtherPublishers, $aEntities)
{
global $phpAds_TextDirection;
$token = phpAds_SessionGetToken();
//duplicate
if (OA_Permission::isAccount(OA_ACCOUNT_ADMIN)
|| OA_Permission::isAccount(OA_ACCOUNT_MANAGER)
@@ -1851,6 +1867,7 @@ function addZonePageTools($affiliateid, $zoneid, $aOtherPublishers, $aEntities)
if (OA_Permission::isAccount(OA_ACCOUNT_ADMIN)
|| OA_Permission::isAccount(OA_ACCOUNT_MANAGER)) {
$form = "<form action='" . MAX::constructUrl(MAX_URL_ADMIN, 'zone-modify.php') . "'>
<input type='hidden' name='token' value='".htmlspecialchars($token, ENT_QUOTES)."'>
<input type='hidden' name='affiliateid' value='$affiliateid'>
<input type='hidden' name='zoneid' value='$zoneid'>
<input type='hidden' name='returnurl' value='".htmlspecialchars(basename($_SERVER['SCRIPT_NAME']))."'>
@@ -1872,7 +1889,7 @@ function addZonePageTools($affiliateid, $zoneid, $aOtherPublishers, $aEntities)
|| OA_Permission::isAccount(OA_ACCOUNT_MANAGER)
|| OA_Permission::hasPermission(OA_PERM_ZONE_DELETE)) {
$deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteZone']);
addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "zone-delete.php?token=" . urlencode(phpAds_SessionGetToken()) . "&affiliateid=$affiliateid&zoneid=$zoneid&returnurl=affiliate-zones.php"), "iconDelete", null, $deleteConfirm);
addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "zone-delete.php?token=".urlencode($token)."&affiliateid=$affiliateid&zoneid=$zoneid&returnurl=affiliate-zones.php"), "iconDelete", null, $deleteConfirm);
}
//shortcut
@@ -1890,12 +1907,14 @@ function addChannelPageTools($agencyid, $websiteId, $channelid, $channelType)
$deleteReturlUrl = MAX::constructUrl(MAX_URL_ADMIN, 'channel-index.php');
}
$token = phpAds_SessionGetToken();
//duplicate
addPageLinkTool($GLOBALS["strDuplicate"], MAX::constructUrl(MAX_URL_ADMIN, "channel-modify.php?duplicate=true&agencyid=$agencyid&affiliateid=$websiteId&channelid=$channelid&returnurl=".urlencode(basename($_SERVER['SCRIPT_NAME']))), "iconTargetingChannelDuplicate");
addPageLinkTool($GLOBALS["strDuplicate"], MAX::constructUrl(MAX_URL_ADMIN, "channel-modify.php?token=".urlencode($token)."&duplicate=true&agencyid=$agencyid&affiliateid=$websiteId&channelid=$channelid&returnurl=".urlencode(basename($_SERVER['SCRIPT_NAME']))), "iconTargetingChannelDuplicate");
//delete
$deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteChannel']);
addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "channel-delete.php?token=" . urlencode(phpAds_SessionGetToken()) . "&agencyid=$agencyid&affiliateid=$websiteId&channelid=$channelid&returnurl=$deleteReturlUrl"), "iconDelete", null, $deleteConfirm);
addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "channel-delete.php?token=".urlencode($token)."&agencyid=$agencyid&affiliateid=$websiteId&channelid=$channelid&returnurl=$deleteReturlUrl"), "iconDelete", null, $deleteConfirm);
}
@@ -13,6 +13,7 @@

<form id="zoneLinkingForm">
<div id="campaign-zone" class="new-form">
<input id="csrf-token" type="hidden" value="{$csrfToken|escape}" />
<input id="advertiser-id" type="hidden" value="{$advertiserId}" />
<input id="campaign-id" type="hidden" value="{$campaignId}" />

@@ -213,6 +214,7 @@ <h3 class="filter-panel-title">{t str=LinkedZones}</h3>
}
var postData = {
"token": $("#csrf-token").val(),
"clientid": $("#advertiser-id").val(),
"campaignid": $("#campaign-id").val(),
"text-linked": quickSearchLinked,
@@ -238,6 +240,9 @@ <h3 class="filter-panel-title">{t str=LinkedZones}</h3>
updatePanel(data, "available");
updatePanel(data, "linked");
// Refresh token
$("#csrf-token").val(extractPart(data, "value", "token"));
$("#linking-status").html(extractPart(data, "info", "result")).stop().show().css("opacity", "1");
if (window.linkingTimout) {
window.linkingTimout.clearTimeout();
@@ -31,13 +31,13 @@
// Security check
OA_Permission::enforceAccount(OA_ACCOUNT_MANAGER);
OA_Permission::checkSessionToken();
/*-------------------------------------------------------*/
/* Main code */
/*-------------------------------------------------------*/
if (!empty($bannerid)) {
OA_Permission::checkSessionToken();
OA_Permission::enforceAccessToObject('banners', $bannerid);
if (!empty($moveto) && isset($moveto_x)) {
@@ -43,6 +43,8 @@
/*-------------------------------------------------------*/
if (!empty($campaignid)) {
OA_Permission::checkSessionToken();
if (!empty($duplicate)) {
// Duplicate the campaign
$doCampaigns = OA_Dal::factoryDO('campaigns');
@@ -38,6 +38,8 @@
OA_Permission::enforceAccount ( OA_ACCOUNT_MANAGER );
OA_Permission::enforceAccessToObject ( 'campaigns', $campaignid );
OA_Permission::checkSessionToken();
$aZonesIds = array();
$aZonesIdsHash = array();
foreach ($_REQUEST['ids'] as $zone) {
@@ -103,4 +105,5 @@
};
echo "<!--result-info-end-->";
?>
// CSRF Token
echo "<!--token-value-start-->".phpAds_SessionGetToken()."<!--token-value-end-->";
@@ -59,6 +59,8 @@
$acl = MAX_AclAdjust($acl, $action);
}
elseif (!empty($submit)) {
OA_Permission::checkSessionToken();
$acl = (isset($acl)) ? $acl : array();
// Only save when inputs are valid
if (OX_AclCheckInputsFields($acl, $pageName) === true) {
@@ -34,6 +34,8 @@
// Security check
if (isset($channelid) && $channelid != '') {
OA_Permission::checkSessionToken();
if (isset($duplicate) && $duplicate == 'true') {
//get channel old channel name
@@ -13,7 +13,7 @@
function OA_runMPE()
{
$objResponse = new xajaxResponse();
$objResponse->addAssign("run-mpe", "innerHTML", "<img src='run-mpe.php' />");
$objResponse->addAssign("run-mpe", "innerHTML", "<img src='run-mpe.ph?token=".urlencode(phpAds_SessionGetToken())."' />");
return $objResponse;
}
@@ -38,6 +38,8 @@
/*-------------------------------------------------------*/
if (!empty($action) && ($action == 'Recompile')) {
OA_Permission::checkSessionToken();
MAX_AclReCompileAll();
echo "<strong>$strAllBannerChannelCompiled</strong><br />";
}
@@ -94,6 +96,7 @@
echo "<br /><strong>". $strErrorsFound ."</strong><br /><br />";
echo $strRepairCompiledLimitations;
echo "<form action='' METHOD='GET'>";
echo "<input type='hidden' name='token' value='".htmlspecialchars(phpAds_SessionGetToken(), ENT_QUOTES)."' />";
echo "<input type='submit' name='action' value='$strRecompile' />";
echo "</form>";
}
@@ -40,6 +40,8 @@
$tr = new MAX_Dal_Inventory_Trackers();
if (!empty($action) && ($action == 'Recompile')) {
OA_Permission::checkSessionToken();
$tr->recompileAppendCodes();
echo "<strong>$strAppendCodesRecompiled<br />";
}
@@ -68,6 +70,7 @@
echo "<br /><strong>$strErrorsFound</strong><br /><br />";
echo "$strRepairAppenedCodes<br />";
echo "<form action='' METHOD='GET'>";
echo "<input type='hidden' name='token' value='".htmlspecialchars(phpAds_SessionGetToken(), ENT_QUOTES)."' />";
echo "<input type='submit' name='action' value='$strRecompile' />";
echo "</form>";
}
@@ -32,6 +32,8 @@
/*-------------------------------------------------------*/
if (!empty($action) && ($action == 'Rebuild')) {
OA_Permission::checkSessionToken();
$result = processBanners(true);
if (empty($result['errors'])) {
if (empty($returnurl)) { $returnurl = 'maintenance-banners-check.php'; }
@@ -57,6 +59,7 @@
_showPageHeader();
echo $GLOBALS['strBannerCacheDifferencesFound'];
echo "<form action='' METHOD='GET'>";
echo "<input type='hidden' name='token' value='".htmlspecialchars(phpAds_SessionGetToken(), ENT_QUOTES)."' />";
echo "<input type='submit' name='action' value='{$GLOBALS['strBannerCacheRebuildButton']}' />";
echo "</form>";
} else {
@@ -105,6 +105,8 @@
);
if (!empty($_POST['encConfirm'])) {
OA_Permission::checkSessionToken();
_iterateTableFields($aTableFields, true);
Header("Location: maintenance-maintenance.php");
}
@@ -201,6 +203,7 @@ function _iterateTableFields($aTableFields, $execute = false)
}
}
echo "</table><br />";
echo "<input type='hidden' name='token' value='".htmlspecialchars(phpAds_SessionGetToken(), ENT_QUOTES)."' />";
echo "<input type='submit' name='encConfirm' value='{$GLOBALS['strConvert']}' /> <input type='button' name='encCancel' value='{$GLOBALS['strCancel']}' onclick='javascript:document.location = \"" . $_SERVER['SCRIPT_NAME'] . "\";' />";
}
@@ -40,6 +40,8 @@
if (!empty($action))
{
OA_Permission::checkSessionToken();
switch ($action)
{
case 'build':
@@ -53,7 +55,7 @@
}
phpAds_ShowBreak();
echo "<img src='" . OX::assetPath() . "/images/".$phpAds_TextDirection."/icon-undo.gif' border='0' align='absmiddle'>&nbsp;<a href='maintenance-menus.php?action=build'>Rebuild Menu Cache</a>&nbsp;&nbsp;";
echo "<img src='" . OX::assetPath() . "/images/".$phpAds_TextDirection."/icon-undo.gif' border='0' align='absmiddle'>&nbsp;<a href='maintenance-menus.php?action=build&amp;token=".urlencode(phpAds_SessionGetToken())."'>Rebuild Menu Cache</a>&nbsp;&nbsp;";
phpAds_ShowBreak();

0 comments on commit e563ca6

Please sign in to comment.
You can’t perform that action at this time.