diff -C3 -r openx-2.8.7/lib/max/other/html.php ox287/lib/max/other/html.php *** openx-2.8.7/lib/max/other/html.php Tue Sep 14 14:25:56 2010 --- ox287/lib/max/other/html.php Sun Jul 31 01:00:20 2011 *************** *** 1272,1277 **** --- 1272,1278 ---- echo "

"; } else { + $token = 'token='.phpAds_createSessionToken(); $i = 0; foreach ($channels as $channelId => $channel) { if ($i > 0) echo "

"; *************** *** 1322,1328 **** echo ""; echo "

{$GLOBALS['strEditChannelLimitations']} "; ! echo "

{$GLOBALS['strDelete']} "; echo ""; $i++; --- 1323,1329 ---- echo ""; echo "

{$GLOBALS['strEditChannelLimitations']} "; ! echo "

{$GLOBALS['strDelete']} "; echo ""; $i++; *************** *** 1718,1724 **** //delete $deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteTracker']); ! addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "tracker-delete.php?clientid=".$advertiserId."&trackerid=".$trackerId."&returnurl=advertiser-trackers.php"), "iconDelete", null, $deleteConfirm); addPageShortcut($GLOBALS['strBackToTrackers'], MAX::constructUrl(MAX_URL_ADMIN, "advertiser-trackers.php?clientid=$advertiserId"), "iconBack"); } } --- 1719,1726 ---- //delete $deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteTracker']); ! $token = 'token='.phpAds_createSessionToken(); ! addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "tracker-delete.php?clientid=".$advertiserId."&trackerid=".$trackerId."&{$token}&returnurl=advertiser-trackers.php"), "iconDelete", null, $deleteConfirm); addPageShortcut($GLOBALS['strBackToTrackers'], MAX::constructUrl(MAX_URL_ADMIN, "advertiser-trackers.php?clientid=$advertiserId"), "iconBack"); } } *************** *** 1752,1758 **** } $deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteCampaign']); ! addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "campaign-delete.php?clientid=$clientid&campaignid=$campaignid&returnurl=advertiser-campaigns.php"), "iconDelete", null, $deleteConfirm); } //shortcuts --- 1754,1761 ---- } $deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteCampaign']); ! $token = 'token='.phpAds_createSessionToken(); ! addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "campaign-delete.php?clientid=$clientid&campaignid=$campaignid&{$token}&returnurl=advertiser-campaigns.php"), "iconDelete", null, $deleteConfirm); } //shortcuts *************** *** 1827,1833 **** //delete if (!OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER)) { $deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteBanner']); ! addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "banner-delete.php?clientid=$advertiserId&campaignid=$campaignId&bannerid=$bannerId&returnurl=campaign-banners.php"), "iconDelete", null, $deleteConfirm); } /* Shortcuts */ --- 1830,1837 ---- //delete if (!OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER)) { $deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteBanner']); ! $token = 'token='.phpAds_createSessionToken(); ! addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "banner-delete.php?clientid=$advertiserId&campaignid=$campaignId&bannerid=$bannerId&{$token}&returnurl=campaign-banners.php"), "iconDelete", null, $deleteConfirm); } /* Shortcuts */ *************** *** 1884,1890 **** || OA_Permission::isAccount(OA_ACCOUNT_MANAGER) || OA_Permission::hasPermission(OA_PERM_ZONE_DELETE)) { $deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteZone']); ! addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "zone-delete.php?affiliateid=$affiliateid&zoneid=$zoneid&returnurl=affiliate-zones.php"), "iconDelete", null, $deleteConfirm); } //shortcut --- 1888,1895 ---- || OA_Permission::isAccount(OA_ACCOUNT_MANAGER) || OA_Permission::hasPermission(OA_PERM_ZONE_DELETE)) { $deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteZone']); ! $token = 'token='.phpAds_createSessionToken(); ! addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "zone-delete.php?affiliateid=$affiliateid&zoneid=$zoneid&{$token}&returnurl=affiliate-zones.php"), "iconDelete", null, $deleteConfirm); } //shortcut *************** *** 1907,1913 **** //delete $deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteChannel']); ! addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "channel-delete.php?&agencyid=$agencyid&affiliateid=$websiteId&channelid=$channelid&returnurl=$deleteReturlUrl"), "iconDelete", null, $deleteConfirm); } --- 1912,1919 ---- //delete $deleteConfirm = phpAds_DelConfirm($GLOBALS['strConfirmDeleteChannel']); ! $token = 'token='.phpAds_createSessionToken(); ! addPageLinkTool($GLOBALS["strDelete"], MAX::constructUrl(MAX_URL_ADMIN, "channel-delete.php?&agencyid=$agencyid&affiliateid=$websiteId&channelid=$channelid&{$token}&returnurl=$deleteReturlUrl"), "iconDelete", null, $deleteConfirm); } diff -C3 -r openx-2.8.7/lib/templates/admin/admin-search.html ox287/lib/templates/admin/admin-search.html *** openx-2.8.7/lib/templates/admin/admin-search.html Tue Sep 14 14:25:56 2010 --- ox287/lib/templates/admin/admin-search.html Sun Jul 31 01:00:20 2011 *************** *** 104,110 **** !

{t str=Delete} --- 104,110 ---- !

{t str=Delete} *************** *** 132,138 **** !

{t str=Delete} --- 132,138 ---- !

{t str=Delete} *************** *** 160,166 **** !

{t str=Delete} --- 160,166 ---- !

{t str=Delete} *************** *** 197,203 **** !

{t str=Delete} --- 197,203 ---- !

{t str=Delete} *************** *** 225,231 **** !

{t str=Delete} --- 225,231 ---- !

{t str=Delete} *************** *** 260,266 **** !

{t str=Delete} --- 260,266 ---- !

{t str=Delete} *************** *** 294,300 **** !

{t str=Delete} --- 294,300 ---- !

{t str=Delete} *************** *** 322,328 **** !

{t str=Delete} --- 322,328 ---- !

{t str=Delete} *************** *** 357,363 **** !

{t str=Delete} --- 357,363 ---- !

{t str=Delete} diff -C3 -r openx-2.8.7/lib/templates/admin/advertiser-index-list.html ox287/lib/templates/admin/advertiser-index-list.html *** openx-2.8.7/lib/templates/admin/advertiser-index-list.html Tue Sep 14 14:25:56 2010 --- ox287/lib/templates/admin/advertiser-index-list.html Sun Jul 31 00:29:47 2011 *************** *** 49,55 **** }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteClients}{literal}")) { ! window.location = 'advertiser-delete.php?clientid=' + ids.join(','); } } }); --- 49,55 ---- }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteClients}{literal}")) { ! window.location = 'advertiser-delete.php?clientid=' + ids.join(',') + '&token={/literal}{$token}{literal}'; } } }); diff -C3 -r openx-2.8.7/lib/templates/admin/advertiser-trackers-list.html ox287/lib/templates/admin/advertiser-trackers-list.html *** openx-2.8.7/lib/templates/admin/advertiser-trackers-list.html Tue Sep 14 14:25:56 2010 --- ox287/lib/templates/admin/advertiser-trackers-list.html Sun Jul 31 00:55:29 2011 *************** *** 52,58 **** }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteTrackers}{literal}")) { ! window.location = 'tracker-delete.php?clientid={/literal}{$clientId}{literal}&trackerid=' + ids.join(','); } } }); --- 52,58 ---- }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteTrackers}{literal}")) { ! window.location = 'tracker-delete.php?clientid={/literal}{$clientId}{literal}&trackerid=' + ids.join(',') + '&token={/literal}{$token}{literal}'; } } }); diff -C3 -r openx-2.8.7/lib/templates/admin/banner-index-list.html ox287/lib/templates/admin/banner-index-list.html *** openx-2.8.7/lib/templates/admin/banner-index-list.html Tue Sep 14 14:25:56 2010 --- ox287/lib/templates/admin/banner-index-list.html Sun Jul 31 00:45:02 2011 *************** *** 56,62 **** }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteBanners}{literal}")) { ! window.location = 'banner-delete.php?clientid={/literal}{$clientId}{literal}&campaignid={/literal}{$campaignId}{literal}&bannerid=' + ids.join(','); } } }); --- 56,62 ---- }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteBanners}{literal}")) { ! window.location = 'banner-delete.php?clientid={/literal}{$clientId}{literal}&campaignid={/literal}{$campaignId}{literal}&bannerid=' + ids.join(',') + '&token={/literal}{$token}{literal}'; } } }); diff -C3 -r openx-2.8.7/lib/templates/admin/campaign-index-list.html ox287/lib/templates/admin/campaign-index-list.html *** openx-2.8.7/lib/templates/admin/campaign-index-list.html Tue Sep 14 14:25:56 2010 --- ox287/lib/templates/admin/campaign-index-list.html Sun Jul 31 00:50:10 2011 *************** *** 56,62 **** }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteCampaigns}{literal}")) { ! window.location = 'campaign-delete.php?clientid={/literal}{$clientId}{literal}&campaignid=' + ids.join(','); } } }); --- 56,62 ---- }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteCampaigns}{literal}")) { ! window.location = 'campaign-delete.php?clientid={/literal}{$clientId}{literal}&campaignid=' + ids.join(',') + '&token={/literal}{$token}{literal}'; } } }); diff -C3 -r openx-2.8.7/lib/templates/admin/channel-index-list.html ox287/lib/templates/admin/channel-index-list.html *** openx-2.8.7/lib/templates/admin/channel-index-list.html Tue Sep 14 14:25:56 2010 --- ox287/lib/templates/admin/channel-index-list.html Sun Jul 31 00:54:00 2011 *************** *** 53,59 **** }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteChannels}{literal}")) { ! window.location = 'channel-delete.php?{/literal}{$entityId}{literal}&channelid=' + ids.join(','); } } }); --- 53,59 ---- }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteChannels}{literal}")) { ! window.location = 'channel-delete.php?{/literal}{$entityId}{literal}&channelid=' + ids.join(',') + '&token={/literal}{$token}{literal}'; } } }); diff -C3 -r openx-2.8.7/lib/templates/admin/website-index-list.html ox287/lib/templates/admin/website-index-list.html *** openx-2.8.7/lib/templates/admin/website-index-list.html Tue Sep 14 14:25:56 2010 --- ox287/lib/templates/admin/website-index-list.html Sun Jul 31 00:34:41 2011 *************** *** 48,54 **** }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteAffiliates}{literal}")) { ! window.location = 'affiliate-delete.php?affiliateid=' + ids.join(','); } } }); --- 48,54 ---- }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteAffiliates}{literal}")) { ! window.location = 'affiliate-delete.php?affiliateid=' + ids.join(',') + '&token={/literal}{$token}{literal}'; } } }); diff -C3 -r openx-2.8.7/lib/templates/admin/zone-index-list.html ox287/lib/templates/admin/zone-index-list.html *** openx-2.8.7/lib/templates/admin/zone-index-list.html Tue Sep 14 14:25:56 2010 --- ox287/lib/templates/admin/zone-index-list.html Sun Jul 31 01:00:20 2011 *************** *** 56,62 **** }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteZones}{literal}")) { ! window.location = 'zone-delete.php?affiliateid={/literal}{$affiliateId}{literal}&zoneid=' + ids.join(','); } } }); --- 56,62 ---- }); if (!tablePreferences.warningBeforeDelete || confirm("{/literal}{t str=ConfirmDeleteZones}{literal}")) { ! window.location = 'zone-delete.php?affiliateid={/literal}{$affiliateId}{literal}&zoneid=' + ids.join(',') + '&token={/literal}{$token}{literal}'; } } }); diff -C3 -r openx-2.8.7/www/admin/admin-search.php ox287/www/admin/admin-search.php *** openx-2.8.7/www/admin/admin-search.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/admin-search.php Sun Jul 31 00:32:14 2011 *************** *** 230,235 **** --- 230,237 ---- $oTpl->assign('aAffiliates', $aAffiliates); $oTpl->assign('aZones', $aZones); + $oTpl->assign('token', phpAds_createSessionToken()); + $oUI = new OA_Admin_UI_Search(); diff -C3 -r openx-2.8.7/www/admin/advertiser-campaigns.php ox287/www/admin/advertiser-campaigns.php *** openx-2.8.7/www/admin/advertiser-campaigns.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/advertiser-campaigns.php Sun Jul 31 00:50:10 2011 *************** *** 213,218 **** --- 213,219 ---- $oTpl->assign('isAdvertiser', OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER)); $oTpl->assign('canEdit', OA_Permission::hasPermission(OA_PERM_BANNER_ACTIVATE) || OA_Permission::hasPermission(OA_PERM_BANNER_EDIT)); $oTpl->assign('isManager', OA_Permission::isAccount(OA_ACCOUNT_MANAGER)); + $oTpl->assign('token', phpAds_createSessionToken()); /*-------------------------------------------------------*/ diff -C3 -r openx-2.8.7/www/admin/advertiser-delete.php ox287/www/admin/advertiser-delete.php *** openx-2.8.7/www/admin/advertiser-delete.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/advertiser-delete.php Sun Jul 31 00:33:02 2011 *************** *** 45,50 **** --- 45,52 ---- /*-------------------------------------------------------*/ if (!empty($clientid)) { + phpAds_checkSessionToken($_REQUEST['token']); + $ids = explode(',', $clientid); while (list(,$clientid) = each($ids)) { diff -C3 -r openx-2.8.7/www/admin/advertiser-index.php ox287/www/admin/advertiser-index.php *** openx-2.8.7/www/admin/advertiser-index.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/advertiser-index.php Sun Jul 31 00:29:44 2011 *************** *** 190,196 **** $oTpl->assign('listorder', $listorder); $oTpl->assign('orderdirection', $orderdirection); $oTpl->assign('MARKET_TYPE', DataObjects_Clients::ADVERTISER_TYPE_MARKET); ! /*-------------------------------------------------------*/ --- 190,196 ---- $oTpl->assign('listorder', $listorder); $oTpl->assign('orderdirection', $orderdirection); $oTpl->assign('MARKET_TYPE', DataObjects_Clients::ADVERTISER_TYPE_MARKET); ! $oTpl->assign('token', phpAds_createSessionToken()); /*-------------------------------------------------------*/ diff -C3 -r openx-2.8.7/www/admin/advertiser-trackers.php ox287/www/admin/advertiser-trackers.php *** openx-2.8.7/www/admin/advertiser-trackers.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/advertiser-trackers.php Sun Jul 31 00:57:43 2011 *************** *** 113,118 **** --- 113,119 ---- $oTpl->assign('canEdit', OA_Permission::isAccount(OA_ACCOUNT_ADMIN) || OA_Permission::isAccount(OA_ACCOUNT_MANAGER)); $oTpl->assign('canLink', OA_Permission::isAccount(OA_ACCOUNT_ADMIN) || OA_Permission::isAccount(OA_ACCOUNT_MANAGER)); $oTpl->assign('canDelete', OA_Permission::isAccount(OA_ACCOUNT_ADMIN) || OA_Permission::isAccount(OA_ACCOUNT_MANAGER)); + $oTpl->assign('token', phpAds_createSessionToken()); /*-------------------------------------------------------*/ diff -C3 -r openx-2.8.7/www/admin/affiliate-channels.php ox287/www/admin/affiliate-channels.php *** openx-2.8.7/www/admin/affiliate-channels.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/affiliate-channels.php Sun Jul 31 00:54:00 2011 *************** *** 99,104 **** --- 99,105 ---- $oTpl->assign('entityUrl', 'affiliate-channels.php'); $oTpl->assign('entityId', 'affiliateid=' . $affiliateid); $oTpl->assign('affiliateId', $affiliateid); + $oTpl->assign('token', phpAds_createSessionToken()); /*-------------------------------------------------------*/ diff -C3 -r openx-2.8.7/www/admin/affiliate-delete.php ox287/www/admin/affiliate-delete.php *** openx-2.8.7/www/admin/affiliate-delete.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/affiliate-delete.php Sun Jul 31 00:33:02 2011 *************** *** 49,54 **** --- 49,56 ---- /*-------------------------------------------------------*/ if (!empty($affiliateid)) { + phpAds_checkSessionToken($_REQUEST['token']); + $ids = explode(',', $affiliateid); while (list(,$affiliateid) = each($ids)) { diff -C3 -r openx-2.8.7/www/admin/affiliate-zones.php ox287/www/admin/affiliate-zones.php *** openx-2.8.7/www/admin/affiliate-zones.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/affiliate-zones.php Sun Jul 31 01:00:20 2011 *************** *** 151,156 **** --- 151,157 ---- $oTpl->assign('canLink', OA_Permission::isAccount(OA_ACCOUNT_ADMIN) || OA_Permission::isAccount(OA_ACCOUNT_MANAGER) || OA_Permission::hasPermission(OA_PERM_ZONE_LINK)); $oTpl->assign('canInvocation', OA_Permission::isAccount(OA_ACCOUNT_ADMIN) || OA_Permission::isAccount(OA_ACCOUNT_MANAGER) || OA_Permission::hasPermission(OA_PERM_ZONE_INVOCATION)); $oTpl->assign('canDelete', OA_Permission::isAccount(OA_ACCOUNT_ADMIN) || OA_Permission::isAccount(OA_ACCOUNT_MANAGER) || OA_Permission::hasPermission(OA_PERM_ZONE_DELETE)); + $oTpl->assign('token', phpAds_createSessionToken()); /*-------------------------------------------------------*/ diff -C3 -r openx-2.8.7/www/admin/agency-delete.php ox287/www/admin/agency-delete.php *** openx-2.8.7/www/admin/agency-delete.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/agency-delete.php Sun Jul 31 00:45:02 2011 *************** *** 51,56 **** --- 51,58 ---- /*-------------------------------------------------------*/ if (!empty($agencyid)) { + phpAds_checkSessionToken($_REQUEST['token']); + $doAgency = OA_Dal::factoryDO('agency'); $doAgency->agencyid = $agencyid; $doAgency->get($agencyid); diff -C3 -r openx-2.8.7/www/admin/agency-index.php ox287/www/admin/agency-index.php *** openx-2.8.7/www/admin/agency-index.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/agency-index.php Sun Jul 31 00:45:02 2011 *************** *** 168,173 **** --- 168,174 ---- } else { + $token = 'token='.phpAds_createSessionToken(); $i=0; foreach (array_keys($aManagers) as $key) { *************** *** 202,208 **** // Delete echo "\t\t\t\t\t"; ! echo "

$strDelete "; echo "\n"; echo "\t\t\t\t\n"; --- 203,209 ---- // Delete echo "\t\t\t\t\t"; ! echo "

$strDelete "; echo "\n"; echo "\t\t\t\t\n"; diff -C3 -r openx-2.8.7/www/admin/banner-delete.php ox287/www/admin/banner-delete.php *** openx-2.8.7/www/admin/banner-delete.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/banner-delete.php Sun Jul 31 00:45:02 2011 *************** *** 49,54 **** --- 49,56 ---- /*-------------------------------------------------------*/ if (!empty($bannerid)) { + phpAds_checkSessionToken($_REQUEST['token']); + $ids = explode(',', $bannerid); while (list(,$bannerid) = each($ids)) { $doBanners = OA_Dal::factoryDO('banners'); diff -C3 -r openx-2.8.7/www/admin/campaign-banners.php ox287/www/admin/campaign-banners.php *** openx-2.8.7/www/admin/campaign-banners.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/campaign-banners.php Sun Jul 31 00:45:02 2011 *************** *** 231,236 **** --- 231,237 ---- $oTpl->assign('canActivate', !OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER) || OA_Permission::hasPermission(OA_PERM_BANNER_ACTIVATE)); $oTpl->assign('canDeactivate', !OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER) || OA_Permission::hasPermission(OA_PERM_BANNER_DEACTIVATE)); $oTpl->assign('canDelete', !OA_Permission::isAccount(OA_ACCOUNT_ADVERTISER)); + $oTpl->assign('token', phpAds_createSessionToken()); /*-------------------------------------------------------*/ diff -C3 -r openx-2.8.7/www/admin/campaign-delete.php ox287/www/admin/campaign-delete.php *** openx-2.8.7/www/admin/campaign-delete.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/campaign-delete.php Sun Jul 31 00:45:02 2011 *************** *** 49,54 **** --- 49,56 ---- /*-------------------------------------------------------*/ if (!empty($campaignid)) { + phpAds_checkSessionToken($_REQUEST['token']); + $ids = explode(',', $campaignid); while (list(,$campaignid) = each($ids)) { diff -C3 -r openx-2.8.7/www/admin/channel-delete.php ox287/www/admin/channel-delete.php *** openx-2.8.7/www/admin/channel-delete.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/channel-delete.php Sun Jul 31 00:45:02 2011 *************** *** 46,51 **** --- 46,53 ---- /*-------------------------------------------------------*/ if (!empty($channelid)) { + phpAds_checkSessionToken($_REQUEST['token']); + $ids = explode(',', $channelid); while (list(,$channelid) = each($ids)) { diff -C3 -r openx-2.8.7/www/admin/lib-sessions.inc.php ox287/www/admin/lib-sessions.inc.php *** openx-2.8.7/www/admin/lib-sessions.inc.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/lib-sessions.inc.php Sun Jul 31 01:26:59 2011 *************** *** 155,158 **** --- 155,187 ---- unset($_COOKIE['sessionID']); } + /** + * Create a session token to validate "things", + * i.e. protect against Cross-Site Request Forgeries + */ + function phpAds_createSessionToken() + { + global $session; + $token = md5(uniqid(rand(), true)); + $session['CSRFtoken'] = $token; + phpAds_SessionDataStore(); + return $token; + } + + /** + * Return the current session token + */ + function phpAds_checkSessionToken($token) + { + global $session; + if (isset($token) && isset($session['CSRFtoken'])) { + if ($token === $session['CSRFtoken']) { + return; + } + } + OA_Admin_UI::queueMessage('Wrong token', 'local', 'error', 0); + header('Location: index.php'); + exit; + } + ?> diff -C3 -r openx-2.8.7/www/admin/tracker-delete.php ox287/www/admin/tracker-delete.php *** openx-2.8.7/www/admin/tracker-delete.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/tracker-delete.php Sun Jul 31 00:45:02 2011 *************** *** 49,54 **** --- 49,56 ---- /*-------------------------------------------------------*/ if (!empty($trackerid)) { + phpAds_checkSessionToken($_REQUEST['token']); + $ids = explode(',', $trackerid); while (list(,$trackerid) = each($ids)) { diff -C3 -r openx-2.8.7/www/admin/userlog-delete.php ox287/www/admin/userlog-delete.php *** openx-2.8.7/www/admin/userlog-delete.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/userlog-delete.php Sun Jul 31 00:45:02 2011 *************** *** 39,44 **** --- 39,46 ---- /* Main code */ /*-------------------------------------------------------*/ + phpAds_checkSessionToken($_REQUEST['token']); + $doUserLog = OA_Dal::factoryDO('userlog'); $doUserLog->whereAdd('1=1'); $doUserLog->delete(DB_DATAOBJECT_WHEREADD_ONLY); diff -C3 -r openx-2.8.7/www/admin/userlog-maintenance.php ox287/www/admin/userlog-maintenance.php *** openx-2.8.7/www/admin/userlog-maintenance.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/userlog-maintenance.php Sun Jul 31 00:57:43 2011 *************** *** 130,138 **** if ($doUserLog->getRowCount() > 0) { echo "

"; echo ""; ! echo "

".$strDeleteLog.""; echo ""; if ($start > 0) { --- 130,139 ---- if ($doUserLog->getRowCount() > 0) { + $token = 'token='.phpAds_createSessionToken(); echo "

"; echo ""; ! echo "

".$strDeleteLog.""; echo ""; if ($start > 0) { diff -C3 -r openx-2.8.7/www/admin/website-index.php ox287/www/admin/website-index.php *** openx-2.8.7/www/admin/website-index.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/website-index.php Sun Jul 31 00:35:03 2011 *************** *** 96,101 **** --- 96,102 ---- $oTpl->assign('phpAds_ZonePopup', phpAds_ZonePopup); $oTpl->assign('phpAds_ZoneText'. phpAds_ZoneText); $oTpl->assign('showAdDirect', (defined('OA_AD_DIRECT_ENABLED') && OA_AD_DIRECT_ENABLED === true) ? true : false); + $oTpl->assign('token', phpAds_createSessionToken()); /*-------------------------------------------------------*/ diff -C3 -r openx-2.8.7/www/admin/zone-delete.php ox287/www/admin/zone-delete.php *** openx-2.8.7/www/admin/zone-delete.php Tue Sep 14 14:25:56 2010 --- ox287/www/admin/zone-delete.php Sun Jul 31 00:45:02 2011 *************** *** 51,56 **** --- 51,58 ---- /*-------------------------------------------------------*/ if (!empty($zoneid)) { + phpAds_checkSessionToken($_REQUEST['token']); + $ids = explode(',', $zoneid); while (list(,$zoneid) = each($ids)) {