[PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877

[PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877

[Adolf Belka]

Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/fwhosts.cgi | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index 953f81e5f..a666969b0 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
+# Copyright (C) 2013-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -714,7 +714,7 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp')
 	}
 
 	if ($fwhostsettings{'update'} eq 'on'){
-		@target=$fwhostsettings{'COUNTRY_CODE'};
+		@target=&Header::escape($fwhostsettings{'COUNTRY_CODE'});
 		$type='Location Group';
 
 		#check if host/net exists in grp
@@ -796,7 +796,7 @@ if ($fwhostsettings{'ACTION'} eq 'saveservice')
 		foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";}
 		$customservice{$key}[0] = $fwhostsettings{'SRV_NAME'};
 		$customservice{$key}[1] = $fwhostsettings{'SRV_PORT'};
-		$customservice{$key}[2] = $fwhostsettings{'PROT'};
+		$customservice{$key}[2] = &Header::escape($fwhostsettings{'PROT'});
 		$customservice{$key}[3] = $ICMP;
 		&General::writehasharray("$configsrv", \%customservice );
 		#reset fields
-- 
2.51.0

[PATCH 02/16] ids.cgi: Fixes bug 13878

[Adolf Belka]

Fixes: bug 13878 - IGNORE_ENTRY_REMARK Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/ids.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 994872564..9c6b393f6 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -105,7 +105,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
 
 		# Assign hash values.
 		my $new_entry_address = $cgiparams{'IGNORE_ENTRY_ADDRESS'};
-		my $new_entry_remark = $cgiparams{'IGNORE_ENTRY_REMARK'};
+		my $new_entry_remark = &Header::escape($cgiparams{'IGNORE_ENTRY_REMARK'});
 
 		# Read-in ignoredfile.
 		&General::readhasharray($IDS::ignored_file, \%ignored) if (-e $IDS::ignored_file);
-- 
2.51.0

[PATCH 03/16] ovpnclients.dat: Fixes bug 13879

[Adolf Belka]

Fixes: bug 13879 - CONNECTION_NAME SQL Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/logs.cgi/ovpnclients.dat | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat
index 8fbf4f8fa..5e6baef3c 100644
--- a/html/cgi-bin/logs.cgi/ovpnclients.dat
+++ b/html/cgi-bin/logs.cgi/ovpnclients.dat
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2020 IPFire Team  <info@ipfire.org>                           #
+# Copyright (C) 2020 - 2025 IPFire Team  <info@ipfire.org>                    #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -141,7 +141,7 @@ my $database_query = qq(
         ORDER BY common_name, duration DESC;
 );
 
-if ($cgiparams{'CONNECTION_NAME'}) {
+if (($cgiparams{'CONNECTION_NAME'}) && ($cgiparams{'CONNECTION_NAME'} =~ /^[a-zA-Z0-9]+$/)) {
 	$database_query = qq(
 		SELECT common_name, DATETIME(connected_at, 'localtime'), DATETIME(disconnected_at, 'localtime'), bytes_received, bytes_sent,
 			STRFTIME('%s', DATETIME(disconnected_at)) - STRFTIME('%s', DATETIME(connected_at)) AS duration FROM sessions
-- 
2.51.0

[PATCH 04/16] header.pl: Fixes bug 13880

[Adolf Belka]

Fixes: bug 13880 - cleanhtml() Unchecked Return Value Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/cfgroot/header.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index 9492b467d..6e65f4137 100644
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -647,7 +647,7 @@ sub cleanhtml {
 	# decode the UTF-8 text so that characters with diacritical marks such as
 	# umlauts are treated correctly by the escape command
 	$outstring = &Encode::decode("UTF-8",$outstring);
-	escape($outstring);
+	$outstring = escape($outstring);
 	# encode the text back to UTF-8 after running the escape command
 	$outstring = &Encode::encode("UTF-8",$outstring);
 	return $outstring;
-- 
2.51.0

[PATCH 05/16] firewalllogip.dat: Fixes bug 13881

[Adolf Belka]

Fixes: bug 13881 - firewalllogip.dat pienumber Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/logs.cgi/firewalllogip.dat | 31 ++++++++++++++++---------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/html/cgi-bin/logs.cgi/firewalllogip.dat b/html/cgi-bin/logs.cgi/firewalllogip.dat
index a7c6e5f80..361fe526d 100644
--- a/html/cgi-bin/logs.cgi/firewalllogip.dat
+++ b/html/cgi-bin/logs.cgi/firewalllogip.dat
@@ -1,14 +1,23 @@
 #!/usr/bin/perl
-#
-# SmoothWall CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# JC HERITIER
-# page inspired from the initial firewalllog.dat
-#
-# Modified for IPFire by Christian Schmidt
-#	                    and Michael Tremer (www.ipfire.org)
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
 
 use strict;
 use Getopt::Std;
@@ -61,7 +70,7 @@ if ($settings{'showpie'} != 0) { $cgiparams{'showpie'} = $settings{'showpie'} };
 if ($settings{'sortcolumn'} != 0) { $cgiparams{'sortcolumn'} = $settings{'sortcolumn'} };
 
 &Header::getcgihash(\%cgiparams);
-if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = $cgiparams{'pienumber'} };
+if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = &Header::escape($cgiparams{'pienumber'}) };
 if ($cgiparams{'otherspie'} != 0) { $settings{'otherspie'} = $cgiparams{'otherspie'} };
 if ($cgiparams{'showpie'} != 0) { $settings{'showpie'} = $cgiparams{'showpie'} };
 if ($cgiparams{'sortcolumn'} != 0) { $settings{'sortcolumn'} = $cgiparams{'sortcolumn'} };
-- 
2.51.0

[PATCH 06/16] firewalllogcountry.dat: Fixes bug 13882

[Adolf Belka]

Fixes: bug 13882 - firewalllogcountry.dat pienumber Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/logs.cgi/firewalllogcountry.dat | 31 +++++++++++++-------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/html/cgi-bin/logs.cgi/firewalllogcountry.dat b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
index 4e998a567..b7fded9e3 100644
--- a/html/cgi-bin/logs.cgi/firewalllogcountry.dat
+++ b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
@@ -1,14 +1,23 @@
 #!/usr/bin/perl
-#
-# SmoothWall CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# JC HERITIER
-# page inspired from the initial firewalllog.dat
-#
-# Modified for IPFire by Christian Schmidt
-#			    and Michael Tremer (www.ipfire.org)
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
 
 use strict;
 use Getopt::Std;
@@ -61,7 +70,7 @@ if ($settings{'showpie'} != 0) { $cgiparams{'showpie'} = $settings{'showpie'} };
 if ($settings{'sortcolumn'} != 0) { $cgiparams{'sortcolumn'} = $settings{'sortcolumn'} };
 
 &Header::getcgihash(\%cgiparams);
-if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = $cgiparams{'pienumber'} };
+if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = &Header::escape($cgiparams{'pienumber'}) };
 if ($cgiparams{'otherspie'} != 0) { $settings{'otherspie'} = $cgiparams{'otherspie'} };
 if ($cgiparams{'showpie'} != 0) { $settings{'showpie'} = $cgiparams{'showpie'} };
 if ($cgiparams{'sortcolumn'} != 0) { $settings{'sortcolumn'} = $cgiparams{'sortcolumn'} };
-- 
2.51.0

[PATCH 07/16] time.cgi: Fixes bug 13883

[Adolf Belka]

Fixes: bug 13883 - time.cgi UPDATE_VALUE Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/time.cgi | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/time.cgi b/html/cgi-bin/time.cgi
index 04c1e771f..d465354bb 100644
--- a/html/cgi-bin/time.cgi
+++ b/html/cgi-bin/time.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2010  IPFire Team                                             #
+# Copyright (C) 2010-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -78,6 +78,7 @@ if ($timesettings{'ACTION'} eq $Lang::tr{'save'})
 	if (!($timesettings{'UPDATE_VALUE'} =~ /^\d+$/) || $timesettings{'UPDATE_VALUE'} <= 0)
 	{
 		$errormessage = $Lang::tr{'invalid time period'};
+		$timesettings{'UPDATE_VALUE'} = 0;
 		goto ERROR;
 	}
 
-- 
2.51.0

[PATCH 08/16] ddns.cgi: Fixes bug 13884

[Adolf Belka]

Fixes: bug 13884 - ddns.cgi LOGIN PASSWORD SERVICE Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/ddns.cgi | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi
index 34475b75c..60565da3f 100644
--- a/html/cgi-bin/ddns.cgi
+++ b/html/cgi-bin/ddns.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2014  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -226,6 +226,9 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::
 			flock FILE, 2;
 
 			# Add account data to the file.
+			$settings{'SERVICE'} = &Header::escape(($settings{'SERVICE'});
+			$settings{'LOGIN'} = &Header::escape(($settings{'LOGIN'});
+			$settings{'PASSWORD'} = &Header::escape(($settings{'PASSWORD'});
 			print FILE "$settings{'SERVICE'},$hostname,$domain,$settings{'PROXY'},$settings{'WILDCARDS'},$settings{'LOGIN'},$settings{'PASSWORD'},$settings{'ENABLED'}\n";
 
 			# Close file after writing.
-- 
2.51.0

[PATCH 09/16] qos.cgi: Fixes bug 13885

[Adolf Belka]

Fixes: bug 13885 - qos.cgi INC_SPD OUT_SPD DEFCLASS_INC DEFCLASS_OUT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/qos.cgi | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/qos.cgi b/html/cgi-bin/qos.cgi
index 52392be08..8400bafdf 100644
--- a/html/cgi-bin/qos.cgi
+++ b/html/cgi-bin/qos.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -671,6 +671,8 @@ END
 END
 ;
 	if (($qossettings{'OUT_SPD'} ne '') && ($qossettings{'INC_SPD'} ne '')) {
+		$qossettings{'OUT_SPD'} = &Header::escape($qossettings{'OUT_SPD'});
+		$qossettings{'INC_SPD'} = &Header::escape($qossettings{'INC_SPD'});
 		print <<END
     <form method='post' action='$ENV{'SCRIPT_NAME'}'>
 	  <table width='100%'>
@@ -683,6 +685,8 @@ END
 ;
 	}
 	if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')) {
+		$qossettings{'DEFCLASS_OUT'} = &Header::escape($qossettings{'DEFCLASS_OUT'});
+		$qossettings{'DEFCLASS_INC'} = &Header::escape($qossettings{'DEFCLASS_INC'});
 		print <<END
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 		<table width='100%'>
-- 
2.51.0

[PATCH 10/16] calamaris.dat: Fixes bug 13886

[Adolf Belka]

Fixes: bug 13886 - calamaris.dat Multiple Parameters Command Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/logs.cgi/calamaris.dat | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/html/cgi-bin/logs.cgi/calamaris.dat b/html/cgi-bin/logs.cgi/calamaris.dat
index dcc812e47..1c8e4b68e 100644
--- a/html/cgi-bin/logs.cgi/calamaris.dat
+++ b/html/cgi-bin/logs.cgi/calamaris.dat
@@ -170,6 +170,10 @@ if ($reportsettings{'ACTION'} eq $Lang::tr{'calamaris create report'})
 
 	if ($reportsettings{'RUN_BACKGROUND'} eq 'on') { $commandline.=" &"; }
 
+	if (!($commandline =~ /^[a-zA-Z0-9-\s]+$/))
+	{
+		die "Invalid input in\"$commandline\"";
+	}
 	system("${General::swroot}/proxy/calamaris/bin/mkreport $commandline")
 }
 
-- 
2.51.0

[PATCH 11/16] urlfilter.cgi: Fixes bugs 13887, 13888 & 13889

[Adolf Belka]

Fixes: bug 13887 - urlfilter.cgi BE_NAME Command Injection
Fixes: bug 13888 - urlfilter.cgi USERQUOTA QUOTA_USERS Stored Cross-Site Scripting
Fixes: bug 13889 - urlfilter.cgi TIMECONSTRAINT SRC DST COMMENT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/urlfilter.cgi | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/urlfilter.cgi b/html/cgi-bin/urlfilter.cgi
index 1ced06e26..2467f297c 100644
--- a/html/cgi-bin/urlfilter.cgi
+++ b/html/cgi-bin/urlfilter.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2005-2010  IPFire Team                                        #
+# Copyright (C) 2005-2025  IPFire Team                                        #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -576,7 +576,7 @@ if (($uqsettings{'MODE'} eq 'USERQUOTA') && ($uqsettings{'ACTION'} eq $Lang::tr{
 
 	$_  = $uqsettings{'QUOTA_USERS'};
 	chomp; s/\n/|/g;
-	my $quota_users = $_;
+	my $quota_users = &Header::escape($_);
 
 	if ($uqsettings{'QUOTA_USERS'} =~ /\\/)
 	{
@@ -936,6 +936,11 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter install blacklist'}) && ($bes
 		close FILE;
 
 		# XXX uses globbing
+		if(!($besettings{'BE_NAME'} =~ /^[a-zA-Z0-9-_]+$/))
+		{
+			$errormessage = 'Invalid blacklist name (use only alphanumeric characters plus hyphens or underscores)';
+			goto ERROR;
+		}
 		system("rm -f $dbdir/$besettings{'BE_NAME'}/*.db");
 		&General::system("/usr/bin/squidGuard", "-c", "$editdir/install.conf", "-C", "all");
 		# XXX uses globbing
@@ -2047,6 +2052,10 @@ foreach $line (@tclist)
 	if ($temp[7] eq 'on') { $time.=$Lang::tr{'urlfilter sun'}; } else { $time.='='; }
 	$time=$time.' &nbsp; '.$temp[8].':'.$temp[9].' to '.$temp[10].':'.$temp[11];
 
+	$temp[12] = &Header::escape($temp[12]);
+	$temp[13] = &Header::escape($temp[13]);
+	$temp[16] = &Header::escape($temp[16]);
+
 print <<END
 		<td align='center'>$temp[0]</td>
 		<td align='center' nowrap>$time</td>
-- 
2.51.0

[PATCH 12/16] config.dat: Fixes bug 13890

[Adolf Belka]

Fixes: bug 13890 - config.dat REMOTELOG_ADDR Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/logs.cgi/config.dat | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/html/cgi-bin/logs.cgi/config.dat b/html/cgi-bin/logs.cgi/config.dat
index aed0db9cf..e4b173ffb 100644
--- a/html/cgi-bin/logs.cgi/config.dat
+++ b/html/cgi-bin/logs.cgi/config.dat
@@ -1,13 +1,23 @@
 #!/usr/bin/perl
-#
-# IPFire CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# (c) The IPFire Team
-#
-# $Id: config.dat,v 1.2.2.10 2005/06/14 12:32:07 eoberlander Exp $
-#
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
 
 use strict;
 
@@ -143,6 +153,7 @@ END
 &Header::closebox();
 
 &Header::openbox('100%', 'left', $Lang::tr{'remote logging'});
+$logsettings{'REMOTELOG_ADDR'} = &Header::escape($logsettings{'REMOTELOG_ADDR'});
 print <<END
 <table width='100%'>
 <tr>
-- 
2.51.0

[PATCH 13/16] mail.cgi: Fixes bug 13891

[Adolf Belka]

Fixes: bug 13891 - mail.cgi txt_mailuser txt_mailpass Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/mail.cgi | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi
index 0ed3dfeca..aae4abc31 100644
--- a/html/cgi-bin/mail.cgi
+++ b/html/cgi-bin/mail.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -102,8 +102,8 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}"){ #SaveButton on configsite
 		$mail{'RECIPIENT'}		= $cgiparams{'txt_recipient'};
 
 		if ($cgiparams{'txt_mailuser'} && $cgiparams{'txt_mailpass'}) {
-			$auth{'AUTHNAME'}		= $cgiparams{'txt_mailuser'};
-			$auth{'AUTHPASS'}		= $cgiparams{'txt_mailpass'};
+			$auth{'AUTHNAME'}		= &Header::escape($cgiparams{'txt_mailuser'});
+			$auth{'AUTHPASS'}		= &Header::escape($cgiparams{'txt_mailpass'});
 			$auth{'AUTHHOST'}		= $cgiparams{'txt_mailserver'};
 			print TXT1 "$auth{'AUTHNAME'}|$auth{'AUTHHOST'}:$auth{'AUTHPASS'}\n";
 		}
-- 
2.51.0

[PATCH 14/16] dns.cgi: Fixes bug 13892

[Adolf Belka]

Fixes: bug 13892 - dns.cgi TLS_HOSTNAME Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/dns.cgi | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi
index 0d3b14797..a4f1c719e 100644
--- a/html/cgi-bin/dns.cgi
+++ b/html/cgi-bin/dns.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2005-2024  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2005-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -187,6 +187,7 @@ if (($cgiparams{'SERVERS'} eq $Lang::tr{'save'}) || ($cgiparams{'SERVERS'} eq $L
 		}
 
 		# Add/Modify the entry to/in the dns_servers hash.
+		$cgiparams{'TLS_HOSTNAME'} = &Header::escape($cgiparams{'TLS_HOSTNAME'});
 		$dns_servers{$id} = ["$cgiparams{'NAMESERVER'}", "$cgiparams{'TLS_HOSTNAME'}", "$status", "$cgiparams{'REMARK'}"];
 
 		# Write the changed hash to the config file.
-- 
2.51.0

[PATCH 15/16] proxy.cgi: Fixes bug 13893

[Adolf Belka]

Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/proxy.cgi | 1 +
 1 file changed, 1 insertion(+)

diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index bdce2fa66..1ade39381 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3973,6 +3973,7 @@ END
 	{
 		print FILE " $mainsettings{'HOSTNAME'}.$mainsettings{'DOMAINNAME'}\n\n";
 	} else {
+		$proxysettings{'VISIBLE_HOSTNAME'} = &Header::escape($proxysettings{'VISIBLE_HOSTNAME'});
 		print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
 	}
 
-- 
2.51.0

[PATCH 16/16] proxy.cgi: Further fix for bug 13893

[Adolf Belka]

- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
   for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
   description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
   ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
   which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
   bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
   ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD

Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/proxy.cgi | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index 1ade39381..3fbd78d2c 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3977,8 +3977,16 @@ END
 		print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
 	}
 
-	if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; }
-	if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; }
+	if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq ''))
+		{
+			$proxysettings{'ADMIN_MAIL_ADDRESS'} = &Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'});
+			print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n";
+		}
+	if (!($proxysettings{'ADMIN_PASSWORD'} eq ''))
+		{
+			$proxysettings{'ADMIN_PASSWORD'} = &Header::escape($proxysettings{'ADMIN_PASSWORD'});
+			print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n";
+		}
 	print FILE "\n";
 
 	print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n";
@@ -3994,8 +4002,13 @@ END
 		# login=*:password      ($proxysettings{'FORWARD_USERNAME'} eq 'on')
 		if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS'))
 		{
+			$proxysettings{'UPSTREAM_USER'} = &Header::escape($proxysettings{'UPSTREAM_USER'});
 			print FILE " login=$proxysettings{'UPSTREAM_USER'}";
-			if ($proxy1 eq 'YES') { print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; }
+			if ($proxy1 eq 'YES')
+			{
+				$proxysettings{'UPSTREAM_PASSWORD'} = &Header::escape($proxysettings{'UPSTREAM_PASSWORD'});
+				print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}";
+			}
 		}
 		elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; }
 
-- 
2.51.0

Re: [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877

[Bernhard Bitsch]

Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
> Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/fwhosts.cgi | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
> index 953f81e5f..a666969b0 100644
> --- a/html/cgi-bin/fwhosts.cgi
> +++ b/html/cgi-bin/fwhosts.cgi
> @@ -2,7 +2,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
> +# Copyright (C) 2013-2025  IPFire Team  <info@ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -714,7 +714,7 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp')
>   	}
>   
>   	if ($fwhostsettings{'update'} eq 'on'){
> -		@target=$fwhostsettings{'COUNTRY_CODE'};
> +		@target=&Header::escape($fwhostsettings{'COUNTRY_CODE'});
>   		$type='Location Group';
>   
>   		#check if host/net exists in grp
> @@ -796,7 +796,7 @@ if ($fwhostsettings{'ACTION'} eq 'saveservice')
>   		foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";}
>   		$customservice{$key}[0] = $fwhostsettings{'SRV_NAME'};
>   		$customservice{$key}[1] = $fwhostsettings{'SRV_PORT'};
> -		$customservice{$key}[2] = $fwhostsettings{'PROT'};
> +		$customservice{$key}[2] = &Header::escape($fwhostsettings{'PROT'});
>   		$customservice{$key}[3] = $ICMP;
>   		&General::writehasharray("$configsrv", \%customservice );
>   		#reset fields

Re: [PATCH 02/16] ids.cgi: Fixes bug 13878

[Bernhard Bitsch]

Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13878 - IGNORE_ENTRY_REMARK Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/ids.cgi | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
> index 994872564..9c6b393f6 100644
> --- a/html/cgi-bin/ids.cgi
> +++ b/html/cgi-bin/ids.cgi
> @@ -2,7 +2,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -105,7 +105,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
>   
>   		# Assign hash values.
>   		my $new_entry_address = $cgiparams{'IGNORE_ENTRY_ADDRESS'};
> -		my $new_entry_remark = $cgiparams{'IGNORE_ENTRY_REMARK'};
> +		my $new_entry_remark = &Header::escape($cgiparams{'IGNORE_ENTRY_REMARK'});
>   
>   		# Read-in ignoredfile.
>   		&General::readhasharray($IDS::ignored_file, \%ignored) if (-e $IDS::ignored_file);

Re: [PATCH 03/16] ovpnclients.dat: Fixes bug 13879

[Bernhard Bitsch]

Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13879 - CONNECTION_NAME SQL Injection
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/logs.cgi/ovpnclients.dat | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat
> index 8fbf4f8fa..5e6baef3c 100644
> --- a/html/cgi-bin/logs.cgi/ovpnclients.dat
> +++ b/html/cgi-bin/logs.cgi/ovpnclients.dat
> @@ -2,7 +2,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2020 IPFire Team  <info@ipfire.org>                           #
> +# Copyright (C) 2020 - 2025 IPFire Team  <info@ipfire.org>                    #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -141,7 +141,7 @@ my $database_query = qq(
>           ORDER BY common_name, duration DESC;
>   );
>   
> -if ($cgiparams{'CONNECTION_NAME'}) {
> +if (($cgiparams{'CONNECTION_NAME'}) && ($cgiparams{'CONNECTION_NAME'} =~ /^[a-zA-Z0-9]+$/)) {
>   	$database_query = qq(
>   		SELECT common_name, DATETIME(connected_at, 'localtime'), DATETIME(disconnected_at, 'localtime'), bytes_received, bytes_sent,
>   			STRFTIME('%s', DATETIME(disconnected_at)) - STRFTIME('%s', DATETIME(connected_at)) AS duration FROM sessions

Re: [PATCH 04/16] header.pl: Fixes bug 13880

[Bernhard Bitsch]

Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Verified-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13880 - cleanhtml() Unchecked Return Value Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   config/cfgroot/header.pl | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
> index 9492b467d..6e65f4137 100644
> --- a/config/cfgroot/header.pl
> +++ b/config/cfgroot/header.pl
> @@ -647,7 +647,7 @@ sub cleanhtml {
>   	# decode the UTF-8 text so that characters with diacritical marks such as
>   	# umlauts are treated correctly by the escape command
>   	$outstring = &Encode::decode("UTF-8",$outstring);
> -	escape($outstring);
> +	$outstring = escape($outstring);
>   	# encode the text back to UTF-8 after running the escape command
>   	$outstring = &Encode::encode("UTF-8",$outstring);
>   	return $outstring;

Re: [PATCH 05/16] firewalllogip.dat: Fixes bug 13881

[Bernhard Bitsch]

Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13881 - firewalllogip.dat pienumber Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/logs.cgi/firewalllogip.dat | 31 ++++++++++++++++---------
>   1 file changed, 20 insertions(+), 11 deletions(-)
> 
> diff --git a/html/cgi-bin/logs.cgi/firewalllogip.dat b/html/cgi-bin/logs.cgi/firewalllogip.dat
> index a7c6e5f80..361fe526d 100644
> --- a/html/cgi-bin/logs.cgi/firewalllogip.dat
> +++ b/html/cgi-bin/logs.cgi/firewalllogip.dat
> @@ -1,14 +1,23 @@
>   #!/usr/bin/perl
> -#
> -# SmoothWall CGIs
> -#
> -# This code is distributed under the terms of the GPL
> -#
> -# JC HERITIER
> -# page inspired from the initial firewalllog.dat
> -#
> -# Modified for IPFire by Christian Schmidt
> -#	                    and Michael Tremer (www.ipfire.org)
> +###############################################################################
> +#                                                                             #
> +# IPFire.org - A linux based firewall                                         #
> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
> +#                                                                             #
> +# This program is free software: you can redistribute it and/or modify        #
> +# it under the terms of the GNU General Public License as published by        #
> +# the Free Software Foundation, either version 3 of the License, or           #
> +# (at your option) any later version.                                         #
> +#                                                                             #
> +# This program is distributed in the hope that it will be useful,             #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
> +# GNU General Public License for more details.                                #
> +#                                                                             #
> +# You should have received a copy of the GNU General Public License           #
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
> +#                                                                             #
> +###############################################################################
>   
>   use strict;
>   use Getopt::Std;
> @@ -61,7 +70,7 @@ if ($settings{'showpie'} != 0) { $cgiparams{'showpie'} = $settings{'showpie'} };
>   if ($settings{'sortcolumn'} != 0) { $cgiparams{'sortcolumn'} = $settings{'sortcolumn'} };
>   
>   &Header::getcgihash(\%cgiparams);
> -if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = $cgiparams{'pienumber'} };
> +if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = &Header::escape($cgiparams{'pienumber'}) };
>   if ($cgiparams{'otherspie'} != 0) { $settings{'otherspie'} = $cgiparams{'otherspie'} };
>   if ($cgiparams{'showpie'} != 0) { $settings{'showpie'} = $cgiparams{'showpie'} };
>   if ($cgiparams{'sortcolumn'} != 0) { $settings{'sortcolumn'} = $cgiparams{'sortcolumn'} };

Re: [PATCH 06/16] firewalllogcountry.dat: Fixes bug 13882

[Bernhard Bitsch]

Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13882 - firewalllogcountry.dat pienumber Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/logs.cgi/firewalllogcountry.dat | 31 +++++++++++++-------
>   1 file changed, 20 insertions(+), 11 deletions(-)
> 
> diff --git a/html/cgi-bin/logs.cgi/firewalllogcountry.dat b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
> index 4e998a567..b7fded9e3 100644
> --- a/html/cgi-bin/logs.cgi/firewalllogcountry.dat
> +++ b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
> @@ -1,14 +1,23 @@
>   #!/usr/bin/perl
> -#
> -# SmoothWall CGIs
> -#
> -# This code is distributed under the terms of the GPL
> -#
> -# JC HERITIER
> -# page inspired from the initial firewalllog.dat
> -#
> -# Modified for IPFire by Christian Schmidt
> -#			    and Michael Tremer (www.ipfire.org)
> +###############################################################################
> +#                                                                             #
> +# IPFire.org - A linux based firewall                                         #
> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
> +#                                                                             #
> +# This program is free software: you can redistribute it and/or modify        #
> +# it under the terms of the GNU General Public License as published by        #
> +# the Free Software Foundation, either version 3 of the License, or           #
> +# (at your option) any later version.                                         #
> +#                                                                             #
> +# This program is distributed in the hope that it will be useful,             #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
> +# GNU General Public License for more details.                                #
> +#                                                                             #
> +# You should have received a copy of the GNU General Public License           #
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
> +#                                                                             #
> +###############################################################################
>   
>   use strict;
>   use Getopt::Std;
> @@ -61,7 +70,7 @@ if ($settings{'showpie'} != 0) { $cgiparams{'showpie'} = $settings{'showpie'} };
>   if ($settings{'sortcolumn'} != 0) { $cgiparams{'sortcolumn'} = $settings{'sortcolumn'} };
>   
>   &Header::getcgihash(\%cgiparams);
> -if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = $cgiparams{'pienumber'} };
> +if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = &Header::escape($cgiparams{'pienumber'}) };
>   if ($cgiparams{'otherspie'} != 0) { $settings{'otherspie'} = $cgiparams{'otherspie'} };
>   if ($cgiparams{'showpie'} != 0) { $settings{'showpie'} = $cgiparams{'showpie'} };
>   if ($cgiparams{'sortcolumn'} != 0) { $settings{'sortcolumn'} = $cgiparams{'sortcolumn'} };

Re: [PATCH 07/16] time.cgi: Fixes bug 13883

[Bernhard Bitsch]

Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13883 - time.cgi UPDATE_VALUE Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/time.cgi | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/html/cgi-bin/time.cgi b/html/cgi-bin/time.cgi
> index 04c1e771f..d465354bb 100644
> --- a/html/cgi-bin/time.cgi
> +++ b/html/cgi-bin/time.cgi
> @@ -2,7 +2,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2010  IPFire Team                                             #
> +# Copyright (C) 2010-2025  IPFire Team  <info@ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -78,6 +78,7 @@ if ($timesettings{'ACTION'} eq $Lang::tr{'save'})
>   	if (!($timesettings{'UPDATE_VALUE'} =~ /^\d+$/) || $timesettings{'UPDATE_VALUE'} <= 0)
>   	{
>   		$errormessage = $Lang::tr{'invalid time period'};
> +		$timesettings{'UPDATE_VALUE'} = 0;
>   		goto ERROR;
>   	}
>   

Re: [PATCH 08/16] ddns.cgi: Fixes bug 13884

[Bernhard Bitsch]

Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13884 - ddns.cgi LOGIN PASSWORD SERVICE Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/ddns.cgi | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi
> index 34475b75c..60565da3f 100644
> --- a/html/cgi-bin/ddns.cgi
> +++ b/html/cgi-bin/ddns.cgi
> @@ -2,7 +2,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2014  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -226,6 +226,9 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::
>   			flock FILE, 2;
>   
>   			# Add account data to the file.
> +			$settings{'SERVICE'} = &Header::escape(($settings{'SERVICE'});
> +			$settings{'LOGIN'} = &Header::escape(($settings{'LOGIN'});
> +			$settings{'PASSWORD'} = &Header::escape(($settings{'PASSWORD'});
>   			print FILE "$settings{'SERVICE'},$hostname,$domain,$settings{'PROXY'},$settings{'WILDCARDS'},$settings{'LOGIN'},$settings{'PASSWORD'},$settings{'ENABLED'}\n";
>   
>   			# Close file after writing.