Skip to content
Permalink
Browse files

Fix h1 reports 107550 and 107634

Persistent XSS
--------------
Johan Caluwe has reported via HackerOne two vectors for persistent XSS
Revive Adserver user interface, both requiring a trusted (non-admin) account:

1. the website name wasn't properly escaped when displayed in the
   campaign-zone.php script;
2. the banner image url for external banners wasn't properly escaped when
   displayed in most of the banner related pages.

A CVE-ID has been requested, but not assigned yet.

CWE: CWE-79
CVSSv2: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
  • Loading branch information...
mbeccati committed Jan 15, 2016
1 parent 38223a8 commit f6880330a8e11e804663f132867e9eb9b1f94e83
Showing with 6 additions and 6 deletions.
  1. +4 −4 lib/max/Delivery/adRender.php
  2. +2 −2 lib/templates/admin/campaign-zone-zones.html
@@ -210,7 +210,7 @@ function MAX_adRenderImageBeacon($logUrl, $beaconId = 'beacon', $userAgent = nul
$style = " style='width: 0px; height: 0px;'";
$divEnd = '</div>';
}
$beacon = "$div<img src='".htmlspecialchars($logUrl)."' width='0' height='0' alt=''{$style} />{$divEnd}";
$beacon = "$div<img src='".htmlspecialchars($logUrl, ENT_QUOTES)."' width='0' height='0' alt=''{$style} />{$divEnd}";
return $beacon;
}
@@ -249,7 +249,7 @@ function _adRenderImage(&$aBanner, $zoneId=0, $source='', $ct0='', $withText=fal
if (!empty($clickUrl)) { // There is a link
$status = _adRenderBuildStatusCode($aBanner);
//$target = !empty($aBanner['target']) ? $aBanner['target'] : '_blank';
$clickTag = "<a href='$clickUrl' target='{target}'$status>";
$clickTag = "<a href='".htmlspecialchars($clickUrl, ENT_QUOTES)."' target='{target}'$status>";
$clickTagEnd = '</a>';
} else {
$clickTag = '';
@@ -261,7 +261,7 @@ function _adRenderImage(&$aBanner, $zoneId=0, $source='', $ct0='', $withText=fal
$width = !empty($aBanner['width']) ? $aBanner['width'] : 0;
$height = !empty($aBanner['height']) ? $aBanner['height'] : 0;
$alt = !empty($aBanner['alt']) ? htmlspecialchars($aBanner['alt'], ENT_QUOTES) : '';
$imageTag = "$clickTag<img src='$imageUrl' width='$width' height='$height' alt='$alt' title='$alt' border='0'$imgStatus />$clickTagEnd";
$imageTag = "$clickTag<img src='".htmlspecialchars($imageUrl, ENT_QUOTES)."' width='$width' height='$height' alt='$alt' title='$alt' border='0'$imgStatus />$clickTagEnd";
} else {
$imageTag = '';
}
@@ -324,7 +324,7 @@ function _adRenderFlash(&$aBanner, $zoneId=0, $source='', $ct0='', $withText=fal
$status = _adRenderBuildStatusCode($aBanner);
$target = !empty($aBanner['target']) ? $aBanner['target'] : '_blank';
$swfParams = array('clickTARGET' => $target, 'clickTAG' => $clickUrl);
$clickTag = "<a href='$clickUrl' target='$target'$status>";
$clickTag = "<a href='".htmlspecialchars($clickUrl, ENT_QUOTES)."' target='$target'$status>";
$clickTagEnd = '</a>';
} else {
$swfParams = array();
@@ -63,7 +63,7 @@
</label>
</td>
<td class="link">
<a title="{t str=EditWebsite} {$website.name}" class="website-icon" href="affiliate-edit.php?affiliateid={$websiteid}">&nbsp;</a>
<a title="{t str=EditWebsite} {$website.name|escape}" class="website-icon" href="affiliate-edit.php?affiliateid={$websiteid}">&nbsp;</a>
</td>
{if !empty($showStats)}
<td></td>
@@ -82,7 +82,7 @@
</label>
</td>
<td class="link">
<a title="{t str=EditZone} {$website.name}" class="zone-icon" href="zone-edit.php?affiliateid={$websiteid}&zoneid={$zoneid}">&nbsp;</a>
<a title="{t str=EditZone} {$website.name|escape}" class="zone-icon" href="zone-edit.php?affiliateid={$websiteid}&zoneid={$zoneid}">&nbsp;</a>
</td>
{if !empty($showStats)}
{assign var="ctr" value="`$zone.ctr*100`"}

0 comments on commit f688033

Please sign in to comment.
You can’t perform that action at this time.