Skip to content

Commit f688033

Browse files
committed
Fix h1 reports 107550 and 107634
Persistent XSS -------------- Johan Caluwe has reported via HackerOne two vectors for persistent XSS Revive Adserver user interface, both requiring a trusted (non-admin) account: 1. the website name wasn't properly escaped when displayed in the campaign-zone.php script; 2. the banner image url for external banners wasn't properly escaped when displayed in most of the banner related pages. A CVE-ID has been requested, but not assigned yet. CWE: CWE-79 CVSSv2: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
1 parent 38223a8 commit f688033

File tree

2 files changed

+6
-6
lines changed

2 files changed

+6
-6
lines changed

Diff for: lib/max/Delivery/adRender.php

+4-4
Original file line numberDiff line numberDiff line change
@@ -210,7 +210,7 @@ function MAX_adRenderImageBeacon($logUrl, $beaconId = 'beacon', $userAgent = nul
210210
$style = " style='width: 0px; height: 0px;'";
211211
$divEnd = '</div>';
212212
}
213-
$beacon = "$div<img src='".htmlspecialchars($logUrl)."' width='0' height='0' alt=''{$style} />{$divEnd}";
213+
$beacon = "$div<img src='".htmlspecialchars($logUrl, ENT_QUOTES)."' width='0' height='0' alt=''{$style} />{$divEnd}";
214214
return $beacon;
215215
}
216216

@@ -249,7 +249,7 @@ function _adRenderImage(&$aBanner, $zoneId=0, $source='', $ct0='', $withText=fal
249249
if (!empty($clickUrl)) { // There is a link
250250
$status = _adRenderBuildStatusCode($aBanner);
251251
//$target = !empty($aBanner['target']) ? $aBanner['target'] : '_blank';
252-
$clickTag = "<a href='$clickUrl' target='{target}'$status>";
252+
$clickTag = "<a href='".htmlspecialchars($clickUrl, ENT_QUOTES)."' target='{target}'$status>";
253253
$clickTagEnd = '</a>';
254254
} else {
255255
$clickTag = '';
@@ -261,7 +261,7 @@ function _adRenderImage(&$aBanner, $zoneId=0, $source='', $ct0='', $withText=fal
261261
$width = !empty($aBanner['width']) ? $aBanner['width'] : 0;
262262
$height = !empty($aBanner['height']) ? $aBanner['height'] : 0;
263263
$alt = !empty($aBanner['alt']) ? htmlspecialchars($aBanner['alt'], ENT_QUOTES) : '';
264-
$imageTag = "$clickTag<img src='$imageUrl' width='$width' height='$height' alt='$alt' title='$alt' border='0'$imgStatus />$clickTagEnd";
264+
$imageTag = "$clickTag<img src='".htmlspecialchars($imageUrl, ENT_QUOTES)."' width='$width' height='$height' alt='$alt' title='$alt' border='0'$imgStatus />$clickTagEnd";
265265
} else {
266266
$imageTag = '';
267267
}
@@ -324,7 +324,7 @@ function _adRenderFlash(&$aBanner, $zoneId=0, $source='', $ct0='', $withText=fal
324324
$status = _adRenderBuildStatusCode($aBanner);
325325
$target = !empty($aBanner['target']) ? $aBanner['target'] : '_blank';
326326
$swfParams = array('clickTARGET' => $target, 'clickTAG' => $clickUrl);
327-
$clickTag = "<a href='$clickUrl' target='$target'$status>";
327+
$clickTag = "<a href='".htmlspecialchars($clickUrl, ENT_QUOTES)."' target='$target'$status>";
328328
$clickTagEnd = '</a>';
329329
} else {
330330
$swfParams = array();

Diff for: lib/templates/admin/campaign-zone-zones.html

+2-2
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@
6363
</label>
6464
</td>
6565
<td class="link">
66-
<a title="{t str=EditWebsite} {$website.name}" class="website-icon" href="affiliate-edit.php?affiliateid={$websiteid}">&nbsp;</a>
66+
<a title="{t str=EditWebsite} {$website.name|escape}" class="website-icon" href="affiliate-edit.php?affiliateid={$websiteid}">&nbsp;</a>
6767
</td>
6868
{if !empty($showStats)}
6969
<td></td>
@@ -82,7 +82,7 @@
8282
</label>
8383
</td>
8484
<td class="link">
85-
<a title="{t str=EditZone} {$website.name}" class="zone-icon" href="zone-edit.php?affiliateid={$websiteid}&zoneid={$zoneid}">&nbsp;</a>
85+
<a title="{t str=EditZone} {$website.name|escape}" class="zone-icon" href="zone-edit.php?affiliateid={$websiteid}&zoneid={$zoneid}">&nbsp;</a>
8686
</td>
8787
{if !empty($showStats)}
8888
{assign var="ctr" value="`$zone.ctr*100`"}

0 commit comments

Comments
 (0)