VYPR
Get started
← All advisories
High severity8.8NVD Advisory· Published Oct 6, 2017· Updated May 13, 2026

CVE-2017-15063

CVE-2017-15063

Description

There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
intelliants/subrionPackagist
>= 4.1, < 4.2.04.2.0

Affected products

1

Patches

2
65fb937a588d

#547 - unused class variable

https://github.com/intelliants/subrionJanur JangaraevOct 10, 2017via ghsa
commit
1 file changed · +1 3
  • includes/classes/ia.core.php+1 3 modified
    @@ -70,8 +70,6 @@ final class iaCore
 
     protected $_checkDomain;
 
-    private $_securityTokenValue = '';
-
     public $iaDb;
     public $iaView;
     public $iaCache;
@@ -597,7 +595,7 @@ protected function _forgeryCheck()
         }
 
         // no need to test this for the several endpoints:
-        //  - 'API' page - used to communication with mobile apps
+        //  - 'API' page - used to communicate with mobile apps
         //  - IPN/IRN/other payment notification receiving endpoints
         if ('api' == $this->iaView->name()
             || (count($this->iaView->url) > 1 && 'ipn' == $this->iaView->url[0])) {
5fdf03af1a7d

#547

https://github.com/intelliants/subrionJanur JangaraevOct 10, 2017via ghsa
commit
1 file changed · +53 48
  • includes/classes/ia.core.php+53 48 modified
    @@ -141,15 +141,15 @@ public function init()
         $this->iaView->definePage();
         $this->iaView->loadSmarty();
 
+        $this->_forgeryCheck();
+
         $this->startHook('bootstrap');
 
         $this->_defineModule();
         $this->iaView->defineOutput();
         $this->_checkPermissions();
         $this->_executeModule();
 
-        $this->_forgeryCheck();
-
         $this->startHook('phpCoreBeforeJsCache');
         $this->iaCache->createJsCache();
 
@@ -592,66 +592,76 @@ protected function _fetchHooks()
 
     protected function _forgeryCheck()
     {
-        if ($_POST && $this->get('prevent_csrf') && !$this->iaView->get('nocsrf')) {
-            $referrerValid = false;
-            $tokenValid = defined('PASSED_CSRF_TOKEN') && PASSED_CSRF_TOKEN === $this->getSecurityToken();
+        if (!$_POST || !$this->get('prevent_csrf')) {
+            return;
+        }
 
-            if (isset($_SERVER['HTTP_REFERER'])) {
-                $wwwChunk = 'www.';
+        // no need to test this for the several endpoints:
+        //  - 'API' page - used to communication with mobile apps
+        //  - IPN/IRN/other payment notification receiving endpoints
+        if ('api' == $this->iaView->name()
+            || (count($this->iaView->url) > 1 && 'ipn' == $this->iaView->url[0])) {
+            return;
+        }
 
-                $referrerDomain = explode(IA_URL_DELIMITER, $_SERVER['HTTP_REFERER']);
-                $referrerDomain = strtolower($referrerDomain[2]);
-                $referrerDomain = str_replace($wwwChunk, '', $referrerDomain);
+        $tokenValid = false;
+        $referrerValid = true;
 
-                $domain = explode(IA_URL_DELIMITER, $this->get('baseurl'));
-                $domain = strtolower($domain[2]);
-                $domain = str_replace($wwwChunk, '', $domain);
+        if (isset($_POST[self::SECURITY_TOKEN_FORM_KEY])) {
+            $tokenValid = $_POST[self::SECURITY_TOKEN_FORM_KEY] === $this->getSecurityToken();
+            unset($_POST[self::SECURITY_TOKEN_FORM_KEY]);
+        }
 
-                if ($referrerDomain === $domain) {
-                    $referrerValid = true;
-                }
-            } else {
-                $referrerValid = true; // sad, but no other way
-            }
+        if (isset($_SERVER['HTTP_REFERER'])) {
+            $wwwChunk = 'www.';
 
-            if (!$referrerValid || !$tokenValid) {
-                header('HTTP/1.1 203'); // reply with 203 "Non-Authoritative Information" status
+            $referrerDomain = explode(IA_URL_DELIMITER, $_SERVER['HTTP_REFERER']);
+            $referrerDomain = strtolower($referrerDomain[2]);
+            $referrerDomain = str_replace($wwwChunk, '', $referrerDomain);
 
-                $contentType = 'text/html';
-                $message = 'Request treated as a potential CSRF attack.';
+            $domain = explode(IA_URL_DELIMITER, $this->get('baseurl'));
+            $domain = strtolower($domain[2]);
+            $domain = str_replace($wwwChunk, '', $domain);
 
-                switch ($this->iaView->getRequestType()) {
-                    case iaView::REQUEST_JSON:
-                        $contentType = 'application/json';
+            if ($referrerDomain === $domain) {
+                $referrerValid = true;
+            }
+        }
 
-                        $output = json_encode(['result' => false, 'message' => $message]);
+        if (!$referrerValid || !$tokenValid) {
+            header('HTTP/1.1 203'); // reply with 203 "Non-Authoritative Information" status
 
-                        break;
+            $contentType = 'text/html';
+            $message = 'Request treated as a potential CSRF attack.';
 
-                    case iaView::REQUEST_XML:
-                        $contentType = 'text/xml';
+            switch ($this->iaView->getRequestType()) {
+                case iaView::REQUEST_JSON:
+                    $contentType = 'application/json';
 
-                        $xmlObject = new SimpleXMLElement('<?xml version="1.0" encoding="UTF-8"?>');
-                        $xmlObject->addChild('result', false);
-                        $xmlObject->addChild('message', $message);
+                    $output = json_encode(['result' => false, 'message' => $message]);
 
-                        $output = $xmlObject->asXML();
+                    break;
 
-                        break;
+                case iaView::REQUEST_XML:
+                    $contentType = 'text/xml';
 
-                    default:
-                        $output = $message;
-                }
+                    $xmlObject = new SimpleXMLElement('<?xml version="1.0" encoding="UTF-8"?>');
+                    $xmlObject->addChild('result', false);
+                    $xmlObject->addChild('message', $message);
 
-                $this->iaView->set('nodebug', true);
+                    $output = $xmlObject->asXML();
 
-                header('Content-Type: ' . $contentType);
-                die($output);
+                    break;
+
+                default:
+                    $output = $message;
             }
-        }
 
-        unset($_POST[self::SECURITY_TOKEN_FORM_KEY]);
+            $this->iaView->set('nodebug', true);
 
+            header('Content-Type: ' . $contentType);
+            die($output);
+        }
     }
 
     public function checkDomain()
@@ -891,11 +901,6 @@ protected function _setConstants()
 
         $iaView->theme = $this->get((self::ACCESS_ADMIN == $this->getAccessType() ? 'admin_' : '') . 'tmpl', 'default');
         define('IA_TPL_URL', $iaView->assetsUrl . (self::ACCESS_ADMIN == $this->getAccessType() ? 'admin/' : '') . 'templates/' . $iaView->theme . IA_URL_DELIMITER);
-
-        if (isset($_POST[self::SECURITY_TOKEN_FORM_KEY])) {
-            define('PASSED_CSRF_TOKEN', $_POST[self::SECURITY_TOKEN_FORM_KEY]);
-            unset($_POST[self::SECURITY_TOKEN_FORM_KEY]);
-        }
     }
 
     private function _setTimezone($timezone)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.