From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cXWL15P1Pz335N for ; Thu, 25 Sep 2025 11:13:29 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cXWKr0F8kz334n for ; Thu, 25 Sep 2025 11:13:20 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cXWKp5RQ5z447; Thu, 25 Sep 2025 11:13:18 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1758798798; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WyE78U7W0VVPTSBbK2WaVHdmLcSv9zYjH1LzQZ3T+r8=; b=3zNKyD0nG3xGx72gBwgM3KMo3wgNSMHWiQxoDsXArZz/OupnrMUfQNKH8/M7d3IW0Aqiqz Slnw8xMxQCB9VMDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1758798798; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WyE78U7W0VVPTSBbK2WaVHdmLcSv9zYjH1LzQZ3T+r8=; b=M+rGZBhcBEaZXHGcs8dJ7pse/s3PQJK45vzG5qoyuY22F3JPSFwCyBAvZIUWYjkgMExFlp W54ITOaNpFaR6U52V1yfA+LRoT4OA7E0w5tj6uBOKe7D8lEWdVh592z2FMzBVpFYif+kaK mAp9SLhogA3gqaSigLwmMJ0ZZ7UbOBH4pvg483emm/xCoqKg/dn0CPP+l6fTexoZXyfmp4 tU9hj+c/hUzkLd61t8Sm8u2tvfrJvYLngmbZWGQRbhdurV7mDwK5zWP4tFoEriibzBTCSm 0SEQevJplLRTgj8EfgGzxJFwCvCq/m8MhrNfKZMtD5lSESPHwyg7mU5SyG4Ulg== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 16/16] proxy.cgi: Further fix for bug 13893 Date: Thu, 25 Sep 2025 13:12:52 +0200 Message-ID: <20250925111252.11893-16-adolf.belka@ipfire.org> In-Reply-To: <20250925111252.11893-1-adolf.belka@ipfire.org> References: <20250925111252.11893-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit - Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the description for that bug. - bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi which is incorrect except for TLS_HOSTNAME. - The other parameters are from proxy.cgi but no mitigation was shown for those in the bug report. - This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka --- html/cgi-bin/proxy.cgi | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 1ade39381..3fbd78d2c 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -3977,8 +3977,16 @@ END print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n"; } - if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; } - if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; } + if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) + { + $proxysettings{'ADMIN_MAIL_ADDRESS'} = &Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'}); + print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; + } + if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) + { + $proxysettings{'ADMIN_PASSWORD'} = &Header::escape($proxysettings{'ADMIN_PASSWORD'}); + print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; + } print FILE "\n"; print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n"; @@ -3994,8 +4002,13 @@ END # login=*:password ($proxysettings{'FORWARD_USERNAME'} eq 'on') if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS')) { + $proxysettings{'UPSTREAM_USER'} = &Header::escape($proxysettings{'UPSTREAM_USER'}); print FILE " login=$proxysettings{'UPSTREAM_USER'}"; - if ($proxy1 eq 'YES') { print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; } + if ($proxy1 eq 'YES') + { + $proxysettings{'UPSTREAM_PASSWORD'} = &Header::escape($proxysettings{'UPSTREAM_PASSWORD'}); + print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; + } } elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; } -- 2.51.0