From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH 16/16] proxy.cgi: Further fix for bug 13893
Date: Thu, 25 Sep 2025 13:12:52 +0200 [thread overview]
Message-ID: <20250925111252.11893-16-adolf.belka@ipfire.org> (raw)
In-Reply-To: <20250925111252.11893-1-adolf.belka@ipfire.org>
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/proxy.cgi | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index 1ade39381..3fbd78d2c 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3977,8 +3977,16 @@ END
print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
}
- if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; }
- if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; }
+ if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq ''))
+ {
+ $proxysettings{'ADMIN_MAIL_ADDRESS'} = &Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'});
+ print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n";
+ }
+ if (!($proxysettings{'ADMIN_PASSWORD'} eq ''))
+ {
+ $proxysettings{'ADMIN_PASSWORD'} = &Header::escape($proxysettings{'ADMIN_PASSWORD'});
+ print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n";
+ }
print FILE "\n";
print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n";
@@ -3994,8 +4002,13 @@ END
# login=*:password ($proxysettings{'FORWARD_USERNAME'} eq 'on')
if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS'))
{
+ $proxysettings{'UPSTREAM_USER'} = &Header::escape($proxysettings{'UPSTREAM_USER'});
print FILE " login=$proxysettings{'UPSTREAM_USER'}";
- if ($proxy1 eq 'YES') { print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; }
+ if ($proxy1 eq 'YES')
+ {
+ $proxysettings{'UPSTREAM_PASSWORD'} = &Header::escape($proxysettings{'UPSTREAM_PASSWORD'});
+ print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}";
+ }
}
elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; }
--
2.51.0
next prev parent reply other threads:[~2025-09-25 11:13 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
2025-09-25 11:12 ` [PATCH 02/16] ids.cgi: Fixes bug 13878 Adolf Belka
2025-09-25 12:51 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 03/16] ovpnclients.dat: Fixes bug 13879 Adolf Belka
2025-09-25 12:56 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 04/16] header.pl: Fixes bug 13880 Adolf Belka
2025-09-25 13:21 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 05/16] firewalllogip.dat: Fixes bug 13881 Adolf Belka
2025-09-25 13:36 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 06/16] firewalllogcountry.dat: Fixes bug 13882 Adolf Belka
2025-09-25 13:40 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 07/16] time.cgi: Fixes bug 13883 Adolf Belka
2025-09-25 13:45 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 08/16] ddns.cgi: Fixes bug 13884 Adolf Belka
2025-09-25 13:50 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 09/16] qos.cgi: Fixes bug 13885 Adolf Belka
2025-09-25 11:12 ` [PATCH 10/16] calamaris.dat: Fixes bug 13886 Adolf Belka
2025-09-25 11:12 ` [PATCH 11/16] urlfilter.cgi: Fixes bugs 13887, 13888 & 13889 Adolf Belka
2025-09-25 11:12 ` [PATCH 12/16] config.dat: Fixes bug 13890 Adolf Belka
2025-09-25 11:12 ` [PATCH 13/16] mail.cgi: Fixes bug 13891 Adolf Belka
2025-09-25 11:12 ` [PATCH 14/16] dns.cgi: Fixes bug 13892 Adolf Belka
2025-09-25 11:12 ` [PATCH 15/16] proxy.cgi: Fixes bug 13893 Adolf Belka
2025-09-25 11:12 ` Adolf Belka [this message]
2025-09-25 12:47 ` [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Bernhard Bitsch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250925111252.11893-16-adolf.belka@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox