Skip to content

Commit

Permalink
Fix h1 report 178611
Browse files Browse the repository at this point in the history 
Reflected XSS
-------------

The HackerOne user pavanw3b has reported that the Revive Adserver was
vulnerable to a reflected XSS attack: several of the parameters used in
the invocation code generation for interstitial zones weren't properly
escaped when displayed.

CWE-ID: CWE-79

CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
CVSSv3 Base Score: 4.2
CVSSv3 Temporal Score: 3.7
  • Loading branch information
@mbeccati
mbeccati committed Jan 30, 2017
1 parent 0b311d3 commit f2f64d9
Show file tree
Hide file tree
Showing 6 changed files with 21 additions and 21 deletions.
4 changes: 2 additions & 2 deletions plugins_repo/openXInvocationTags/plugins/etc/openXInvocationTags.xml
View file
Expand Up @@ -4,13 +4,13 @@
<plugin>
<name>openXInvocationTags</name>
<displayName>Invocation Tags Plugin</displayName>
<creationDate>2016-02-23</creationDate>
<creationDate>2016-12-28</creationDate>
<author>Revive Adserver</author>
<authorEmail>revive@revive-adserver.com</authorEmail>
<authorUrl>http://www.revive-adserver.com</authorUrl>
<license>LICENSE.txt</license>
<description>Plugin that provides invocation tags.</description>
<version>1.4.5</version>
<version>1.4.6</version>
<type>package</type>

<install>
Expand Down
4 changes: 2 additions & 2 deletions plugins_repo/openXInvocationTags/plugins/etc/oxInvocationTags/oxInvocationTags.xml
View file
Expand Up @@ -4,13 +4,13 @@
<plugin>
<name>oxInvocationTags</name>
<displayName>Invocation Tags Plugin</displayName>
<creationDate>2016-02-23</creationDate>
<creationDate>2016-12-28</creationDate>
<author>Revive Adserver</author>
<authorEmail>revive@revive-adserver.com</authorEmail>
<authorUrl>http://www.revive-adserver.com</authorUrl>
<license>LICENSE.txt</license>
<description>Plugin that provides invocation tags for displaying banners on websites.</description>
<version>1.4.5</version>
<version>1.4.6</version>
<oxversion>3.2.0-beta-rc3</oxversion>
<extends>invocationTags</extends>

Expand Down
6 changes: 3 additions & 3 deletions ...ocationTags/plugins/invocationTags/oxInvocationTags/layerstyles/cursor/invocation.inc.php
View file
Expand Up @@ -80,7 +80,7 @@ function placeLayerSettings ()

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Delay before banner is hidden")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='delay' size='' value='".$delay."' style='width:60px;'".($hide == '0' ? ' disabled' : '')." tabindex='".($tabindex++)."'> ms</td></tr>";
$buffer .= "<input class='flat' type='text' name='delay' size='' value='".htmlspecialchars($delay, ENT_QUOTES)."' style='width:60px;'".($hide == '0' ? ' disabled' : '')." tabindex='".($tabindex++)."'> ms</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$buffer .= "<tr><td width='30'>&nbsp;</td>";
Expand All @@ -98,12 +98,12 @@ function placeLayerSettings ()

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Horizontal shift")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='offsetx' size='' value='".$offsetx."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='offsetx' size='' value='".htmlspecialchars($offsetx, ENT_QUOTES)."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Vertical shift")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='offsety' size='' value='".$offsety."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='offsety' size='' value='".htmlspecialchars($offsety, ENT_QUOTES)."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

return $buffer;
Expand Down
10 changes: 5 additions & 5 deletions ...cationTags/plugins/invocationTags/oxInvocationTags/layerstyles/floater/invocation.inc.php
View file
Expand Up @@ -90,12 +90,12 @@ function placeLayerSettings ()

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Pause")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='pause' size='' value='".$pause."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strSeconds']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='pause' size='' value='".htmlspecialchars($pause, ENT_QUOTES)."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strSeconds']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Vertical shift")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='shiftv' size='' value='".$shiftv."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='shiftv' size='' value='".htmlspecialchars($shiftv, ENT_QUOTES)."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$buffer .= "<tr><td width='30'>&nbsp;</td>";
Expand All @@ -108,12 +108,12 @@ function placeLayerSettings ()

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Left margin")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='lmargin' size='' tabindex='".($tabindex++)."' value='".$lmargin."' style='width:60px;'".($limited == 'f' ? ' disabled' : '')."> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='lmargin' size='' tabindex='".($tabindex++)."' value='".htmlspecialchars($lmargin, ENT_QUOTES)."' style='width:60px;'".($limited == 'f' ? ' disabled' : '')."> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Right margin")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='rmargin' size='' tabindex='".($tabindex++)."' value='".$rmargin."' style='width:60px;'".($limited == 'f' ? ' disabled' : '')."> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='rmargin' size='' tabindex='".($tabindex++)."' value='".htmlspecialchars($rmargin, ENT_QUOTES)."' style='width:60px;'".($limited == 'f' ? ' disabled' : '')."> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$buffer .= "<tr><td width='30'>&nbsp;</td>";
Expand All @@ -133,7 +133,7 @@ function placeLayerSettings ()
$buffer .= "<table border='0' cellspacing='1' cellpadding='0' bgcolor='#000000'><tr>";
$buffer .= "<td id='backcolor_box' bgcolor='".$backcolor."'><img src='" . OX::assetPath() . "/images/spacer.gif' width='16' height='16'></td>";
$buffer .= "</tr></table></td><td>";
$buffer .= "<input type='text' class='flat' name='backcolor' size='10' maxlength='7' tabindex='".($tabindex++)."' value='".$backcolor."'".($transparent == 't' ? ' disabled' : '')." onFocus='current_cp = this; current_cp_oldval = this.value; current_box = backcolor_box' onChange='c_update()'>";
$buffer .= "<input type='text' class='flat' name='backcolor' size='10' maxlength='7' tabindex='".($tabindex++)."' value='".htmlspecialchars($backcolor, ENT_QUOTES)."'".($transparent == 't' ? ' disabled' : '')." onFocus='current_cp = this; current_cp_oldval = this.value; current_box = backcolor_box' onChange='c_update()'>";
$buffer .= "</td><td align='right' width='218'>";
$buffer .= "<div onMouseOver='current_cp = backcolor; current_box = backcolor_box' onMouseOut='current_cp = null'><img src='" . OX::assetPath() . "/images/colorpicker.png' width='193' height='18' align='absmiddle' usemap='#colorpicker' border='0'><img src='" . OX::assetPath() . "/images/spacer.gif' width='22' height='1'></div>";
$buffer .= "</td></tr></table>";
Expand Down
6 changes: 3 additions & 3 deletions ...tionTags/plugins/invocationTags/oxInvocationTags/layerstyles/geocities/invocation.inc.php
View file
Expand Up @@ -58,17 +58,17 @@ function placeLayerSettings ()

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Close text")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='closetext' size='' value='".$closetext."' style='width:175px;' tabindex='".($tabindex++)."'></td></tr>";
$buffer .= "<input class='flat' type='text' name='closetext' size='' value='".htmlspecialchars($closetext, ENT_QUOTES)."' style='width:175px;' tabindex='".($tabindex++)."'></td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Automatically collapse after")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='collapsetime' size='' value='".(isset($collapsetime) ? $collapsetime : '-')."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrSeconds']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='collapsetime' size='' value='".(isset($collapsetime) ? htmlspecialchars($collapsetime, ENT_QUOTES) : '-')."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrSeconds']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Banner padding")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='padding' size='' value='".(isset($padding) ? $padding : '0')."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='padding' size='' value='".(isset($padding) ? htmlspecialchars($padding, ENT_QUOTES) : '0')."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

return $buffer;
Expand Down
12 changes: 6 additions & 6 deletions ...ocationTags/plugins/invocationTags/oxInvocationTags/layerstyles/simple/invocation.inc.php
View file
Expand Up @@ -87,7 +87,7 @@ function placeLayerSettings ()

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Automatically close after")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='closetime' size='' value='".(isset($closetime) ? $closetime : '-')."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrSeconds']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='closetime' size='' value='".(isset($closetime) ? htmlspecialchars($closetime, ENT_QUOTES) : '-')."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrSeconds']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$buffer .= "<tr><td height='10' colspan='3'>&nbsp;</td></tr>";
Expand All @@ -96,17 +96,17 @@ function placeLayerSettings ()

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Banner padding")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='padding' size='' value='".$padding."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='padding' size='' value='".htmlspecialchars($padding, ENT_QUOTES)."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Horizontal shift")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='shifth' size='' value='".$shifth."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='shifth' size='' value='".htmlspecialchars($shifth, ENT_QUOTES)."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$buffer .= "<tr><td width='30'>&nbsp;</td>";
$buffer .= "<td width='200'>".$this->translate("Vertical shift")."</td><td width='370'>";
$buffer .= "<input class='flat' type='text' name='shiftv' size='' value='".$shiftv."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<input class='flat' type='text' name='shiftv' size='' value='".htmlspecialchars($shiftv, ENT_QUOTES)."' style='width:60px;' tabindex='".($tabindex++)."'> ".$GLOBALS['strAbbrPixels']."</td></tr>";
$buffer .= "<tr><td width='30'><img src='" . OX::assetPath() . "/images/spacer.gif' height='5' width='100%'></td></tr>";

$this->settings_cp_map();
Expand All @@ -118,7 +118,7 @@ function placeLayerSettings ()
$buffer .= "<table border='0' cellspacing='1' cellpadding='0' bgcolor='#000000'><tr>";
$buffer .= "<td id='backcolor_box' bgcolor='".$backcolor."'><img src='" . OX::assetPath() . "/images/spacer.gif' width='16' height='16'></td>";
$buffer .= "</tr></table></td><td>";
$buffer .= "<input type='text' class='flat' name='backcolor' size='10' maxlength='7' tabindex='".($tabindex++)."' value='".$backcolor."' onFocus='current_cp = this; current_cp_oldval = this.value; current_box = backcolor_box' onChange='c_update()'".($nobg == 't' ? ' disabled' : '').">";
$buffer .= "<input type='text' class='flat' name='backcolor' size='10' maxlength='7' tabindex='".($tabindex++)."' value='".htmlspecialchars($backcolor, ENT_QUOTES)."' onFocus='current_cp = this; current_cp_oldval = this.value; current_box = backcolor_box' onChange='c_update()'".($nobg == 't' ? ' disabled' : '').">";
$buffer .= "</td><td align='right' width='218'>";
$buffer .= "<div id='backDiv'".($nobg == 't' ? " style='display: none'" : '')." onMouseOver='current_cp = backcolor; current_box = backcolor_box' onMouseOut='current_cp = null'><img src='" . OX::assetPath() . "/images/colorpicker.png' width='193' height='18' align='absmiddle' usemap='#colorpicker' border='0'><img src='" . OX::assetPath() . "/images/spacer.gif' width='22' height='1'></div>";
$buffer .= "</td></tr></table>";
Expand All @@ -131,7 +131,7 @@ function placeLayerSettings ()
$buffer .= "<table border='0' cellspacing='1' cellpadding='0' bgcolor='#000000'><tr>";
$buffer .= "<td id='bordercolor_box' bgcolor='".$bordercolor."'><img src='" . OX::assetPath() . "/images/spacer.gif' width='16' height='16'></td>";
$buffer .= "</tr></table></td><td>";
$buffer .= "<input type='text' class='flat' name='bordercolor' size='10' maxlength='7' tabindex='".($tabindex++)."' value='".$bordercolor."' onFocus='current_cp = this; current_cp_oldval = this.value; current_box = bordercolor_box' onChange='c_update()'".($noborder == 't' ? ' disabled' : '').">";
$buffer .= "<input type='text' class='flat' name='bordercolor' size='10' maxlength='7' tabindex='".($tabindex++)."' value='".htmlspecialchars($bordercolor, ENT_QUOTES)."' onFocus='current_cp = this; current_cp_oldval = this.value; current_box = bordercolor_box' onChange='c_update()'".($noborder == 't' ? ' disabled' : '').">";
$buffer .= "</td><td align='right' width='218'>";
$buffer .= "<div id='borderDiv'".($noborder == 't' ? " style='display: none'" : '')." onMouseOver='current_cp = bordercolor; current_box = bordercolor_box' onMouseOut='current_cp = null'><img src='" . OX::assetPath() . "/images/colorpicker.png' width='193' height='18' align='absmiddle' usemap='#colorpicker' border='0'><img src='" . OX::assetPath() . "/images/spacer.gif' width='22' height='1'></div>";
$buffer .= "</td></tr></table>";
Expand Down

0 comments on commit f2f64d9

Please sign in to comment.