Date: Wed, 07 May 2014 09:56:26 +0100 From: Alan Hicks <ahicks@p-o.co.uk> To: freebsd-ports@freebsd.org Subject: Re: www/openx: CVE-2013-7149 no patch available? Message-ID: <5369F53A.1050505@p-o.co.uk> In-Reply-To: <53693756.7050306@b1t.name> References: <53693756.7050306@b1t.name>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------050109040100010105000002 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 06/05/2014 20:26, Volodymyr Kostyrko wrote: > Hi all. > > In case anyone is still using www/openx. > > Does anyone know about any patches for this issue? Had anyone patched > openx by himself? > The project has moved to https://github.com/revive-adserver Although I have patched my copy of OpenX for both the vulnerability and PostgreSQL support, there was no interest from the people at revive-adserver, though they have since patched the vulnerability. Having almost completed the removal of OpenX from my servers there is little interest in supporting it. Original patch attached for reference. Hope this helps, Alan --------------050109040100010105000002 Content-Type: text/x-patch; name="lib_OA_Dal_Delivery.php.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="lib_OA_Dal_Delivery.php.diff" Index: lib/OA/Dal/Delivery.php =================================================================== --- lib/OA/Dal/Delivery.php (revision 82818) +++ lib/OA/Dal/Delivery.php (working copy) @@ -120,7 +120,7 @@ $aConf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $zoneid = (int)$zoneid; + //$zoneid = (int)$zoneid; // Get the zone information $query = " @@ -151,7 +151,7 @@ ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['affiliates'])." AS a, ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['agency'])." AS m WHERE - z.zoneid = {$zoneid} + z.zoneid = ".(int)$zoneid." AND z.affiliateid = a.affiliateid AND @@ -169,7 +169,7 @@ p.preference_id AS preference_id, p.preference_name AS preference_name FROM - {$aConf['table']['prefix']}{$aConf['table']['preferences']} AS p + ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['preferences'])." AS p WHERE p.preference_name = 'default_banner_image_url' OR @@ -201,9 +201,9 @@ FROM ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['account_preference_assoc'])." AS apa WHERE - apa.account_id = {$aZoneInfo['trafficker_account_id']} + apa.account_id = ".(int)$aZoneInfo['trafficker_account_id']." AND - apa.preference_id = $default_banner_destination_url_id + apa.preference_id = ".(int)$default_banner_destination_url_id." UNION SELECT 'default_banner_destination_url_manager' AS item, @@ -211,9 +211,9 @@ FROM ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['account_preference_assoc'])." AS apa WHERE - apa.account_id = {$aZoneInfo['manager_account_id']} + apa.account_id = ".(int)$aZoneInfo['manager_account_id']." AND - apa.preference_id = $default_banner_destination_url_id + apa.preference_id = ".(int)$default_banner_destination_url_id." UNION SELECT 'default_banner_image_url_trafficker' AS item, @@ -221,9 +221,9 @@ FROM ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['account_preference_assoc'])." AS apa WHERE - apa.account_id = {$aZoneInfo['trafficker_account_id']} + apa.account_id = ".(int)$aZoneInfo['trafficker_account_id']." AND - apa.preference_id = $default_banner_image_url_id + apa.preference_id = ".(int)$default_banner_image_url_id." UNION SELECT 'default_banner_image_url_manager' AS item, @@ -231,9 +231,9 @@ FROM ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['account_preference_assoc'])." AS apa WHERE - apa.account_id = {$aZoneInfo['manager_account_id']} + apa.account_id = ".(int)$aZoneInfo['manager_account_id']." AND - apa.preference_id = $default_banner_image_url_id + apa.preference_id = ".(int)$default_banner_image_url_id." UNION SELECT 'default_banner_image_url_admin' AS item, @@ -246,7 +246,7 @@ AND a.account_type = 'ADMIN' AND - apa.preference_id = $default_banner_image_url_id + apa.preference_id = ".(int)$default_banner_image_url_id." UNION SELECT 'default_banner_destination_url_admin' AS item, @@ -259,7 +259,7 @@ AND a.account_type = 'ADMIN' AND - apa.preference_id = $default_banner_destination_url_id"; + apa.preference_id = ".(int)$default_banner_destination_url_id; $rDefaultBannerInfo = OA_Dal_Delivery_query($query); if (!is_resource($rDefaultBannerInfo)) { @@ -326,7 +326,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $publisherid = (int)$publisherid; + //$publisherid = (int)$publisherid; $rZones = OA_Dal_Delivery_query(" SELECT @@ -337,7 +337,7 @@ FROM ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['zones'])." AS z WHERE - z.affiliateid={$publisherid} + z.affiliateid=".(int)$publisherid." "); if (!is_resource($rZones)) { @@ -371,7 +371,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $zoneid = (int)$zoneid; + //$zoneid = (int)$zoneid; $aRows = OA_Dal_Delivery_getZoneInfo($zoneid); @@ -456,7 +456,7 @@ ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['clients'])." AS m ON (m.clientid = c.clientid) LEFT JOIN ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['agency'])." AS a ON (a.agencyid = m.agencyid) WHERE - az.zone_id = {$zoneid} + az.zone_id = ".(int)$zoneid." AND d.status <= 0 AND @@ -540,7 +540,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $zoneid = (int)$zoneid; + //$zoneid = (int)$zoneid; $aRows['xAds'] = array(); $aRows['ads'] = array(); @@ -584,7 +584,7 @@ ."c.ecpm_enabled AS ecpm_enabled, " ."c.ecpm AS ecpm, " ."ct.status AS tracker_status, " - .OX_Dal_Delivery_regex("d.htmlcache", "src\\s?=\\s?[\\'\"]http:")." AS html_ssl_unsafe, " + .OX_Dal_Delivery_regex("d.htmlcache", OX_escapeString('src\s?=\s?['."'".'"]http:'))." AS html_ssl_unsafe, " .OX_Dal_Delivery_regex("d.imageurl", "^http:")." AS url_ssl_unsafe " ."FROM " .OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['banners'])." AS d JOIN " @@ -592,7 +592,7 @@ .OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['campaigns'])." AS c ON (c.campaignid = d.campaignid) LEFT JOIN " .OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['campaigns_trackers'])." AS ct ON (ct.campaignid = c.campaignid) " ."WHERE " - ."az.zone_id = {$zoneid} " + ."az.zone_id = ".(int)$zoneid." " ."AND " ."d.status <= 0 " ."AND " @@ -650,7 +650,7 @@ $campaignid = (int)$campaignid; if ($campaignid > 0) { - $precondition = " AND d.campaignid = '".$campaignid."' "; + $precondition = " AND d.campaignid = ".(int)$campaignid." "; } else { $precondition = ''; } @@ -722,7 +722,7 @@ $campaignid = (int)$campaignid; if ($campaignid > 0) { - $precondition = " AND d.campaignid = '".$campaignid."' "; + $precondition = " AND d.campaignid = ".(int)$campaignid." "; } else { $precondition = ''; } @@ -816,7 +816,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $ad_id = (int)$ad_id; + //$ad_id = (int)$ad_id; $query = " SELECT @@ -870,7 +870,7 @@ ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['campaigns'])." AS c, ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['clients'])." AS m WHERE - d.bannerid={$ad_id} + d.bannerid=".(int)$ad_id." AND d.campaignid = c.campaignid AND @@ -895,7 +895,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $channelid = (int)$channelid; + //$channelid = (int)$channelid; $rLimitation = OA_Dal_Delivery_query(" SELECT @@ -903,7 +903,7 @@ FROM ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['channel'])." WHERE - channelid={$channelid}"); + channelid=".(int)$channelid); if (!is_resource($rLimitation)) { return (defined('OA_DELIVERY_CACHE_FUNCTION_ERROR')) ? OA_DELIVERY_CACHE_FUNCTION_ERROR : null; } @@ -949,7 +949,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $trackerid = (int)$trackerid; + //$trackerid = (int)$trackerid; $rTracker = OA_Dal_Delivery_query(" SELECT @@ -965,7 +965,7 @@ FROM ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['trackers'])." AS t WHERE - t.trackerid={$trackerid} + t.trackerid=".(int)$trackerid." "); if (!is_resource($rTracker)) { return (defined('OA_DELIVERY_CACHE_FUNCTION_ERROR')) ? OA_DELIVERY_CACHE_FUNCTION_ERROR : null; @@ -979,7 +979,7 @@ $aConf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $trackerid = (int)$trackerid; + //$trackerid = (int)$trackerid; $rCreatives = OA_Dal_Delivery_query(" SELECT @@ -998,7 +998,7 @@ ct.trackerid=t.trackerid AND c.campaignid=b.campaignid AND b.campaignid = ct.campaignid - " . ((!empty($trackerid)) ? ' AND t.trackerid='.$trackerid : '') . " + " . ((!empty($trackerid)) ? ' AND t.trackerid='.(int)$trackerid : '') . " "); if (!is_resource($rCreatives)) { return (defined('OA_DELIVERY_CACHE_FUNCTION_ERROR')) ? OA_DELIVERY_CACHE_FUNCTION_ERROR : null; @@ -1022,7 +1022,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $trackerid = (int)$trackerid; + //$trackerid = (int)$trackerid; $rVariables = OA_Dal_Delivery_query(" SELECT @@ -1038,7 +1038,7 @@ FROM ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['variables'])." AS v WHERE - v.trackerid={$trackerid} + v.trackerid=".(int)$trackerid." "); if (!is_resource($rVariables)) { return (defined('OA_DELIVERY_CACHE_FUNCTION_ERROR')) ? OA_DELIVERY_CACHE_FUNCTION_ERROR : null; @@ -1193,6 +1193,8 @@ if(preg_match('#^(?:size:)?([0-9]+x[0-9]+)$#', $part_array[$k], $m)) { list($width, $height) = explode('x', $m[1]); + $width = (int) $width; + $height = (int) $height; if ($operator == 'OR') $conditions .= "OR (d.width = $width AND d.height = $height) "; @@ -1219,27 +1221,29 @@ // Only upper limit, set lower limit to make sure not text ads are delivered if ($min == '') $min = 1; + $min = (int) $min; // Only lower limit if ($max == '') { if ($operator == 'OR') - $conditions .= "OR d.width >= '".trim($min)."' "; + $conditions .= "OR d.width >= ".$min." "; elseif ($operator == 'AND') - $conditions .= "AND d.width >= '".trim($min)."' "; + $conditions .= "AND d.width >= ".$min." "; else - $conditions .= "AND d.width < '".trim($min)."' "; + $conditions .= "AND d.width < ".$min." "; } // Both lower and upper limit if ($max != '') { + $max = (int) $max; if ($operator == 'OR') - $conditions .= "OR (d.width >= '".trim($min)."' AND d.width <= '".trim($max)."') "; + $conditions .= "OR (d.width >= ".$min." AND d.width <= ".$max.") "; elseif ($operator == 'AND') - $conditions .= "AND (d.width >= '".trim($min)."' AND d.width <= '".trim($max)."') "; + $conditions .= "AND (d.width >= ".$min." AND d.width <= ".$max.") "; else - $conditions .= "AND (d.width < '".trim($min)."' OR d.width > '".trim($max)."') "; + $conditions .= "AND (d.width < ".$min." OR d.width > ".$max.") "; } } else @@ -1247,11 +1251,11 @@ // Single value if ($operator == 'OR') - $conditions .= "OR d.width = '".trim($part_array[$k])."' "; + $conditions .= "OR d.width = ".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.width = '".trim($part_array[$k])."' "; + $conditions .= "AND d.width = ".(int)$part_array[$k]." "; else - $conditions .= "AND d.width != '".trim($part_array[$k])."' "; + $conditions .= "AND d.width != ".(int)$part_array[$k]." "; } } @@ -1272,16 +1276,17 @@ // Only upper limit, set lower limit to make sure not text ads are delivered if ($min == '') $min = 1; + $min = (int)$min; // Only lower limit if ($max == '') { if ($operator == 'OR') - $conditions .= "OR d.height >= '".trim($min)."' "; + $conditions .= "OR d.height >= ".$min." "; elseif ($operator == 'AND') - $conditions .= "AND d.height >= '".trim($min)."' "; + $conditions .= "AND d.height >= ".$min." "; else - $conditions .= "AND d.height < '".trim($min)."' "; + $conditions .= "AND d.height < ".$min." "; } // Both lower and upper limit @@ -1288,11 +1293,11 @@ if ($max != '') { if ($operator == 'OR') - $conditions .= "OR (d.height >= '".trim($min)."' AND d.height <= '".trim($max)."') "; + $conditions .= "OR (d.height >= ".$min." AND d.height <= ".(int)$max.") "; elseif ($operator == 'AND') - $conditions .= "AND (d.height >= '".trim($min)."' AND d.height <= '".trim($max)."') "; + $conditions .= "AND (d.height >= ".$min." AND d.height <= ".(int)$max.") "; else - $conditions .= "AND (d.height < '".trim($min)."' OR d.height > '".trim($max)."') "; + $conditions .= "AND (d.height < ".$min." OR d.height > ".(int)$max.") "; } } else @@ -1300,11 +1305,11 @@ // Single value if ($operator == 'OR') - $conditions .= "OR d.height = '".trim($part_array[$k])."' "; + $conditions .= "OR d.height = ".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.height = '".trim($part_array[$k])."' "; + $conditions .= "AND d.height = ".(int)$part_array[$k]." "; else - $conditions .= "AND d.height != '".trim($part_array[$k])."' "; + $conditions .= "AND d.height != ".(int)$part_array[$k]." "; } } @@ -1319,11 +1324,11 @@ if ($part_array[$k]) { if ($operator == 'OR') - $conditions .= "OR d.bannerid='".$part_array[$k]."' "; + $conditions .= "OR d.bannerid=".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.bannerid='".$part_array[$k]."' "; + $conditions .= "AND d.bannerid=".(int)$part_array[$k]." "; else - $conditions .= "AND d.bannerid!='".$part_array[$k]."' "; + $conditions .= "AND d.bannerid!=".(int)$part_array[$k]." "; } $onlykeywords = false; @@ -1337,11 +1342,11 @@ if ($part_array[$k]) { if ($operator == 'OR') - $conditions .= "OR d.campaignid='".trim($part_array[$k])."' "; + $conditions .= "OR d.campaignid=".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.campaignid='".trim($part_array[$k])."' "; + $conditions .= "AND d.campaignid=".(int)$part_array[$k]." "; else - $conditions .= "AND d.campaignid!='".trim($part_array[$k])."' "; + $conditions .= "AND d.campaignid!=".(int)$part_array[$k]." "; } $onlykeywords = false; @@ -1354,11 +1359,11 @@ if($part_array[$k] != '' && $part_array[$k] != ' ') { if ($operator == 'OR') - $conditions .= "OR d.contenttype='".trim($part_array[$k])."' "; + $conditions .= "OR d.contenttype=".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.contenttype='".trim($part_array[$k])."' "; + $conditions .= "AND d.contenttype=".(int)$part_array[$k]." "; else - $conditions .= "AND d.contenttype!='".trim($part_array[$k])."' "; + $conditions .= "AND d.contenttype!=".(int)$part_array[$k]." "; } $onlykeywords = false; @@ -1469,7 +1474,7 @@ 'm.ecpm_enabled AS ecpm_enabled', 'm.ecpm AS ecpm', 'ct.status AS tracker_status', - OX_Dal_Delivery_regex("d.htmlcache", "src\\s?=\\s?[\\'\"]http:")." AS html_ssl_unsafe", + OX_Dal_Delivery_regex("d.htmlcache", OX_escapeString('src\s?=\s?['."'".'"]http:'))." AS html_ssl_unsafe", OX_Dal_Delivery_regex("d.imageurl", "^http:")." AS url_ssl_unsafe", ); @@ -1519,6 +1524,8 @@ if(preg_match('#^(?:size:)?([0-9]+x[0-9]+)$#', $part_array[$k], $m)) { list($width, $height) = explode('x', $m[1]); + $width = (int) $width; + $height = (int) $height; if ($operator == 'OR') $conditions .= "OR (d.width = $width AND d.height = $height) "; @@ -1545,16 +1552,17 @@ // Only upper limit, set lower limit to make sure not text ads are delivered if ($min == '') $min = 1; + $min = (int) $min; // Only lower limit if ($max == '') { if ($operator == 'OR') - $conditions .= "OR d.width >= '".trim($min)."' "; + $conditions .= "OR d.width >= ".$min." "; elseif ($operator == 'AND') - $conditions .= "AND d.width >= '".trim($min)."' "; + $conditions .= "AND d.width >= ".$min." "; else - $conditions .= "AND d.width < '".trim($min)."' "; + $conditions .= "AND d.width < ".$min." "; } // Both lower and upper limit @@ -1561,11 +1569,11 @@ if ($max != '') { if ($operator == 'OR') - $conditions .= "OR (d.width >= '".trim($min)."' AND d.width <= '".trim($max)."') "; + $conditions .= "OR (d.width >= ".(int)$min." AND d.width <= ".(int)$max.") "; elseif ($operator == 'AND') - $conditions .= "AND (d.width >= '".trim($min)."' AND d.width <= '".trim($max)."') "; + $conditions .= "AND (d.width >= ".(int)$min." AND d.width <= ".(int)$max.") "; else - $conditions .= "AND (d.width < '".trim($min)."' OR d.width > '".trim($max)."') "; + $conditions .= "AND (d.width < ".(int)$min." OR d.width > ".(int)$max.") "; } } else @@ -1573,11 +1581,11 @@ // Single value if ($operator == 'OR') - $conditions .= "OR d.width = '".trim($part_array[$k])."' "; + $conditions .= "OR d.width = ".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.width = '".trim($part_array[$k])."' "; + $conditions .= "AND d.width = ".(int)$part_array[$k]." "; else - $conditions .= "AND d.width != '".trim($part_array[$k])."' "; + $conditions .= "AND d.width != ".(int)$part_array[$k]." "; } } @@ -1598,16 +1606,17 @@ // Only upper limit, set lower limit to make sure not text ads are delivered if ($min == '') $min = 1; + $min = (int) $min; // Only lower limit if ($max == '') { if ($operator == 'OR') - $conditions .= "OR d.height >= '".trim($min)."' "; + $conditions .= "OR d.height >= ".(int)$min." "; elseif ($operator == 'AND') - $conditions .= "AND d.height >= '".trim($min)."' "; + $conditions .= "AND d.height >= ".(int)$min." "; else - $conditions .= "AND d.height < '".trim($min)."' "; + $conditions .= "AND d.height < ".(int)$min." "; } // Both lower and upper limit @@ -1614,11 +1623,11 @@ if ($max != '') { if ($operator == 'OR') - $conditions .= "OR (d.height >= '".trim($min)."' AND d.height <= '".trim($max)."') "; + $conditions .= "OR (d.height >= ".(int)$min." AND d.height <= ".(int)$max.") "; elseif ($operator == 'AND') - $conditions .= "AND (d.height >= '".trim($min)."' AND d.height <= '".trim($max)."') "; + $conditions .= "AND (d.height >= ".(int)$min." AND d.height <= ".(int)$max.") "; else - $conditions .= "AND (d.height < '".trim($min)."' OR d.height > '".trim($max)."') "; + $conditions .= "AND (d.height < ".(int)$min." OR d.height > ".(int)$max.") "; } } else @@ -1626,11 +1635,11 @@ // Single value if ($operator == 'OR') - $conditions .= "OR d.height = '".trim($part_array[$k])."' "; + $conditions .= "OR d.height = ".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.height = '".trim($part_array[$k])."' "; + $conditions .= "AND d.height = ".(int)$part_array[$k]." "; else - $conditions .= "AND d.height != '".trim($part_array[$k])."' "; + $conditions .= "AND d.height != ".(int)$part_array[$k]." "; } } @@ -1645,11 +1654,11 @@ if ($part_array[$k]) { if ($operator == 'OR') - $conditions .= "OR d.bannerid='".$part_array[$k]."' "; + $conditions .= "OR d.bannerid=".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.bannerid='".$part_array[$k]."' "; + $conditions .= "AND d.bannerid=".(int)$part_array[$k]." "; else - $conditions .= "AND d.bannerid!='".$part_array[$k]."' "; + $conditions .= "AND d.bannerid!=".(int)$part_array[$k]." "; } $onlykeywords = false; @@ -1663,11 +1672,11 @@ if ($part_array[$k]) { if ($operator == 'OR') - $conditions .= "OR d.campaignid='".trim($part_array[$k])."' "; + $conditions .= "OR d.campaignid=".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.campaignid='".trim($part_array[$k])."' "; + $conditions .= "AND d.campaignid=".(int)$part_array[$k]." "; else - $conditions .= "AND d.campaignid!='".trim($part_array[$k])."' "; + $conditions .= "AND d.campaignid!=".(int)$part_array[$k]." "; } $onlykeywords = false; @@ -1680,11 +1689,11 @@ if($part_array[$k] != '' && $part_array[$k] != ' ') { if ($operator == 'OR') - $conditions .= "OR d.contenttype='".trim($part_array[$k])."' "; + $conditions .= "OR d.contenttype='".OX_escapeString(trim($part_array[$k]))."' "; elseif ($operator == 'AND') - $conditions .= "AND d.contenttype='".trim($part_array[$k])."' "; + $conditions .= "AND d.contenttype='".OX_escapeString(trim($part_array[$k]))."' "; else - $conditions .= "AND d.contenttype!='".trim($part_array[$k])."' "; + $conditions .= "AND d.contenttype!='".OX_escapeString(trim($part_array[$k]))."' "; } $onlykeywords = false; --------------050109040100010105000002--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5369F53A.1050505>