* [PATCH 02/16] ids.cgi: Fixes bug 13878
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 12:51 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 03/16] ovpnclients.dat: Fixes bug 13879 Adolf Belka
` (14 subsequent siblings)
15 siblings, 1 reply; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13878 - IGNORE_ENTRY_REMARK Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/ids.cgi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 994872564..9c6b393f6 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -105,7 +105,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
# Assign hash values.
my $new_entry_address = $cgiparams{'IGNORE_ENTRY_ADDRESS'};
- my $new_entry_remark = $cgiparams{'IGNORE_ENTRY_REMARK'};
+ my $new_entry_remark = &Header::escape($cgiparams{'IGNORE_ENTRY_REMARK'});
# Read-in ignoredfile.
&General::readhasharray($IDS::ignored_file, \%ignored) if (-e $IDS::ignored_file);
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* Re: [PATCH 02/16] ids.cgi: Fixes bug 13878
2025-09-25 11:12 ` [PATCH 02/16] ids.cgi: Fixes bug 13878 Adolf Belka
@ 2025-09-25 12:51 ` Bernhard Bitsch
0 siblings, 0 replies; 24+ messages in thread
From: Bernhard Bitsch @ 2025-09-25 12:51 UTC (permalink / raw)
To: development
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13878 - IGNORE_ENTRY_REMARK Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> html/cgi-bin/ids.cgi | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
> index 994872564..9c6b393f6 100644
> --- a/html/cgi-bin/ids.cgi
> +++ b/html/cgi-bin/ids.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
> +# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -105,7 +105,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
>
> # Assign hash values.
> my $new_entry_address = $cgiparams{'IGNORE_ENTRY_ADDRESS'};
> - my $new_entry_remark = $cgiparams{'IGNORE_ENTRY_REMARK'};
> + my $new_entry_remark = &Header::escape($cgiparams{'IGNORE_ENTRY_REMARK'});
>
> # Read-in ignoredfile.
> &General::readhasharray($IDS::ignored_file, \%ignored) if (-e $IDS::ignored_file);
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 03/16] ovpnclients.dat: Fixes bug 13879
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
2025-09-25 11:12 ` [PATCH 02/16] ids.cgi: Fixes bug 13878 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 12:56 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 04/16] header.pl: Fixes bug 13880 Adolf Belka
` (13 subsequent siblings)
15 siblings, 1 reply; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13879 - CONNECTION_NAME SQL Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/logs.cgi/ovpnclients.dat | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat
index 8fbf4f8fa..5e6baef3c 100644
--- a/html/cgi-bin/logs.cgi/ovpnclients.dat
+++ b/html/cgi-bin/logs.cgi/ovpnclients.dat
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2020 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2020 - 2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -141,7 +141,7 @@ my $database_query = qq(
ORDER BY common_name, duration DESC;
);
-if ($cgiparams{'CONNECTION_NAME'}) {
+if (($cgiparams{'CONNECTION_NAME'}) && ($cgiparams{'CONNECTION_NAME'} =~ /^[a-zA-Z0-9]+$/)) {
$database_query = qq(
SELECT common_name, DATETIME(connected_at, 'localtime'), DATETIME(disconnected_at, 'localtime'), bytes_received, bytes_sent,
STRFTIME('%s', DATETIME(disconnected_at)) - STRFTIME('%s', DATETIME(connected_at)) AS duration FROM sessions
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* Re: [PATCH 03/16] ovpnclients.dat: Fixes bug 13879
2025-09-25 11:12 ` [PATCH 03/16] ovpnclients.dat: Fixes bug 13879 Adolf Belka
@ 2025-09-25 12:56 ` Bernhard Bitsch
0 siblings, 0 replies; 24+ messages in thread
From: Bernhard Bitsch @ 2025-09-25 12:56 UTC (permalink / raw)
To: development
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13879 - CONNECTION_NAME SQL Injection
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> html/cgi-bin/logs.cgi/ovpnclients.dat | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat
> index 8fbf4f8fa..5e6baef3c 100644
> --- a/html/cgi-bin/logs.cgi/ovpnclients.dat
> +++ b/html/cgi-bin/logs.cgi/ovpnclients.dat
> @@ -2,7 +2,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2020 IPFire Team <info@ipfire.org> #
> +# Copyright (C) 2020 - 2025 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -141,7 +141,7 @@ my $database_query = qq(
> ORDER BY common_name, duration DESC;
> );
>
> -if ($cgiparams{'CONNECTION_NAME'}) {
> +if (($cgiparams{'CONNECTION_NAME'}) && ($cgiparams{'CONNECTION_NAME'} =~ /^[a-zA-Z0-9]+$/)) {
> $database_query = qq(
> SELECT common_name, DATETIME(connected_at, 'localtime'), DATETIME(disconnected_at, 'localtime'), bytes_received, bytes_sent,
> STRFTIME('%s', DATETIME(disconnected_at)) - STRFTIME('%s', DATETIME(connected_at)) AS duration FROM sessions
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 04/16] header.pl: Fixes bug 13880
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
2025-09-25 11:12 ` [PATCH 02/16] ids.cgi: Fixes bug 13878 Adolf Belka
2025-09-25 11:12 ` [PATCH 03/16] ovpnclients.dat: Fixes bug 13879 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 13:21 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 05/16] firewalllogip.dat: Fixes bug 13881 Adolf Belka
` (12 subsequent siblings)
15 siblings, 1 reply; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13880 - cleanhtml() Unchecked Return Value Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index 9492b467d..6e65f4137 100644
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -647,7 +647,7 @@ sub cleanhtml {
# decode the UTF-8 text so that characters with diacritical marks such as
# umlauts are treated correctly by the escape command
$outstring = &Encode::decode("UTF-8",$outstring);
- escape($outstring);
+ $outstring = escape($outstring);
# encode the text back to UTF-8 after running the escape command
$outstring = &Encode::encode("UTF-8",$outstring);
return $outstring;
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* Re: [PATCH 04/16] header.pl: Fixes bug 13880
2025-09-25 11:12 ` [PATCH 04/16] header.pl: Fixes bug 13880 Adolf Belka
@ 2025-09-25 13:21 ` Bernhard Bitsch
0 siblings, 0 replies; 24+ messages in thread
From: Bernhard Bitsch @ 2025-09-25 13:21 UTC (permalink / raw)
To: development
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Verified-by: Bernhard Bitsch <bbitsch@ipfire.org>
Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13880 - cleanhtml() Unchecked Return Value Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> config/cfgroot/header.pl | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
> index 9492b467d..6e65f4137 100644
> --- a/config/cfgroot/header.pl
> +++ b/config/cfgroot/header.pl
> @@ -647,7 +647,7 @@ sub cleanhtml {
> # decode the UTF-8 text so that characters with diacritical marks such as
> # umlauts are treated correctly by the escape command
> $outstring = &Encode::decode("UTF-8",$outstring);
> - escape($outstring);
> + $outstring = escape($outstring);
> # encode the text back to UTF-8 after running the escape command
> $outstring = &Encode::encode("UTF-8",$outstring);
> return $outstring;
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 05/16] firewalllogip.dat: Fixes bug 13881
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (2 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 04/16] header.pl: Fixes bug 13880 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 13:36 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 06/16] firewalllogcountry.dat: Fixes bug 13882 Adolf Belka
` (11 subsequent siblings)
15 siblings, 1 reply; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13881 - firewalllogip.dat pienumber Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/logs.cgi/firewalllogip.dat | 31 ++++++++++++++++---------
1 file changed, 20 insertions(+), 11 deletions(-)
diff --git a/html/cgi-bin/logs.cgi/firewalllogip.dat b/html/cgi-bin/logs.cgi/firewalllogip.dat
index a7c6e5f80..361fe526d 100644
--- a/html/cgi-bin/logs.cgi/firewalllogip.dat
+++ b/html/cgi-bin/logs.cgi/firewalllogip.dat
@@ -1,14 +1,23 @@
#!/usr/bin/perl
-#
-# SmoothWall CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# JC HERITIER
-# page inspired from the initial firewalllog.dat
-#
-# Modified for IPFire by Christian Schmidt
-# and Michael Tremer (www.ipfire.org)
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
use strict;
use Getopt::Std;
@@ -61,7 +70,7 @@ if ($settings{'showpie'} != 0) { $cgiparams{'showpie'} = $settings{'showpie'} };
if ($settings{'sortcolumn'} != 0) { $cgiparams{'sortcolumn'} = $settings{'sortcolumn'} };
&Header::getcgihash(\%cgiparams);
-if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = $cgiparams{'pienumber'} };
+if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = &Header::escape($cgiparams{'pienumber'}) };
if ($cgiparams{'otherspie'} != 0) { $settings{'otherspie'} = $cgiparams{'otherspie'} };
if ($cgiparams{'showpie'} != 0) { $settings{'showpie'} = $cgiparams{'showpie'} };
if ($cgiparams{'sortcolumn'} != 0) { $settings{'sortcolumn'} = $cgiparams{'sortcolumn'} };
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* Re: [PATCH 05/16] firewalllogip.dat: Fixes bug 13881
2025-09-25 11:12 ` [PATCH 05/16] firewalllogip.dat: Fixes bug 13881 Adolf Belka
@ 2025-09-25 13:36 ` Bernhard Bitsch
0 siblings, 0 replies; 24+ messages in thread
From: Bernhard Bitsch @ 2025-09-25 13:36 UTC (permalink / raw)
To: development
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13881 - firewalllogip.dat pienumber Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> html/cgi-bin/logs.cgi/firewalllogip.dat | 31 ++++++++++++++++---------
> 1 file changed, 20 insertions(+), 11 deletions(-)
>
> diff --git a/html/cgi-bin/logs.cgi/firewalllogip.dat b/html/cgi-bin/logs.cgi/firewalllogip.dat
> index a7c6e5f80..361fe526d 100644
> --- a/html/cgi-bin/logs.cgi/firewalllogip.dat
> +++ b/html/cgi-bin/logs.cgi/firewalllogip.dat
> @@ -1,14 +1,23 @@
> #!/usr/bin/perl
> -#
> -# SmoothWall CGIs
> -#
> -# This code is distributed under the terms of the GPL
> -#
> -# JC HERITIER
> -# page inspired from the initial firewalllog.dat
> -#
> -# Modified for IPFire by Christian Schmidt
> -# and Michael Tremer (www.ipfire.org)
> +###############################################################################
> +# #
> +# IPFire.org - A linux based firewall #
> +# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
> +# #
> +# This program is free software: you can redistribute it and/or modify #
> +# it under the terms of the GNU General Public License as published by #
> +# the Free Software Foundation, either version 3 of the License, or #
> +# (at your option) any later version. #
> +# #
> +# This program is distributed in the hope that it will be useful, #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
> +# GNU General Public License for more details. #
> +# #
> +# You should have received a copy of the GNU General Public License #
> +# along with this program. If not, see <http://www.gnu.org/licenses/>. #
> +# #
> +###############################################################################
>
> use strict;
> use Getopt::Std;
> @@ -61,7 +70,7 @@ if ($settings{'showpie'} != 0) { $cgiparams{'showpie'} = $settings{'showpie'} };
> if ($settings{'sortcolumn'} != 0) { $cgiparams{'sortcolumn'} = $settings{'sortcolumn'} };
>
> &Header::getcgihash(\%cgiparams);
> -if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = $cgiparams{'pienumber'} };
> +if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = &Header::escape($cgiparams{'pienumber'}) };
> if ($cgiparams{'otherspie'} != 0) { $settings{'otherspie'} = $cgiparams{'otherspie'} };
> if ($cgiparams{'showpie'} != 0) { $settings{'showpie'} = $cgiparams{'showpie'} };
> if ($cgiparams{'sortcolumn'} != 0) { $settings{'sortcolumn'} = $cgiparams{'sortcolumn'} };
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 06/16] firewalllogcountry.dat: Fixes bug 13882
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (3 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 05/16] firewalllogip.dat: Fixes bug 13881 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 13:40 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 07/16] time.cgi: Fixes bug 13883 Adolf Belka
` (10 subsequent siblings)
15 siblings, 1 reply; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13882 - firewalllogcountry.dat pienumber Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/logs.cgi/firewalllogcountry.dat | 31 +++++++++++++-------
1 file changed, 20 insertions(+), 11 deletions(-)
diff --git a/html/cgi-bin/logs.cgi/firewalllogcountry.dat b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
index 4e998a567..b7fded9e3 100644
--- a/html/cgi-bin/logs.cgi/firewalllogcountry.dat
+++ b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
@@ -1,14 +1,23 @@
#!/usr/bin/perl
-#
-# SmoothWall CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# JC HERITIER
-# page inspired from the initial firewalllog.dat
-#
-# Modified for IPFire by Christian Schmidt
-# and Michael Tremer (www.ipfire.org)
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
use strict;
use Getopt::Std;
@@ -61,7 +70,7 @@ if ($settings{'showpie'} != 0) { $cgiparams{'showpie'} = $settings{'showpie'} };
if ($settings{'sortcolumn'} != 0) { $cgiparams{'sortcolumn'} = $settings{'sortcolumn'} };
&Header::getcgihash(\%cgiparams);
-if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = $cgiparams{'pienumber'} };
+if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = &Header::escape($cgiparams{'pienumber'}) };
if ($cgiparams{'otherspie'} != 0) { $settings{'otherspie'} = $cgiparams{'otherspie'} };
if ($cgiparams{'showpie'} != 0) { $settings{'showpie'} = $cgiparams{'showpie'} };
if ($cgiparams{'sortcolumn'} != 0) { $settings{'sortcolumn'} = $cgiparams{'sortcolumn'} };
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* Re: [PATCH 06/16] firewalllogcountry.dat: Fixes bug 13882
2025-09-25 11:12 ` [PATCH 06/16] firewalllogcountry.dat: Fixes bug 13882 Adolf Belka
@ 2025-09-25 13:40 ` Bernhard Bitsch
0 siblings, 0 replies; 24+ messages in thread
From: Bernhard Bitsch @ 2025-09-25 13:40 UTC (permalink / raw)
To: development
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13882 - firewalllogcountry.dat pienumber Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> html/cgi-bin/logs.cgi/firewalllogcountry.dat | 31 +++++++++++++-------
> 1 file changed, 20 insertions(+), 11 deletions(-)
>
> diff --git a/html/cgi-bin/logs.cgi/firewalllogcountry.dat b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
> index 4e998a567..b7fded9e3 100644
> --- a/html/cgi-bin/logs.cgi/firewalllogcountry.dat
> +++ b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
> @@ -1,14 +1,23 @@
> #!/usr/bin/perl
> -#
> -# SmoothWall CGIs
> -#
> -# This code is distributed under the terms of the GPL
> -#
> -# JC HERITIER
> -# page inspired from the initial firewalllog.dat
> -#
> -# Modified for IPFire by Christian Schmidt
> -# and Michael Tremer (www.ipfire.org)
> +###############################################################################
> +# #
> +# IPFire.org - A linux based firewall #
> +# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
> +# #
> +# This program is free software: you can redistribute it and/or modify #
> +# it under the terms of the GNU General Public License as published by #
> +# the Free Software Foundation, either version 3 of the License, or #
> +# (at your option) any later version. #
> +# #
> +# This program is distributed in the hope that it will be useful, #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
> +# GNU General Public License for more details. #
> +# #
> +# You should have received a copy of the GNU General Public License #
> +# along with this program. If not, see <http://www.gnu.org/licenses/>. #
> +# #
> +###############################################################################
>
> use strict;
> use Getopt::Std;
> @@ -61,7 +70,7 @@ if ($settings{'showpie'} != 0) { $cgiparams{'showpie'} = $settings{'showpie'} };
> if ($settings{'sortcolumn'} != 0) { $cgiparams{'sortcolumn'} = $settings{'sortcolumn'} };
>
> &Header::getcgihash(\%cgiparams);
> -if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = $cgiparams{'pienumber'} };
> +if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = &Header::escape($cgiparams{'pienumber'}) };
> if ($cgiparams{'otherspie'} != 0) { $settings{'otherspie'} = $cgiparams{'otherspie'} };
> if ($cgiparams{'showpie'} != 0) { $settings{'showpie'} = $cgiparams{'showpie'} };
> if ($cgiparams{'sortcolumn'} != 0) { $settings{'sortcolumn'} = $cgiparams{'sortcolumn'} };
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 07/16] time.cgi: Fixes bug 13883
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (4 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 06/16] firewalllogcountry.dat: Fixes bug 13882 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 13:45 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 08/16] ddns.cgi: Fixes bug 13884 Adolf Belka
` (9 subsequent siblings)
15 siblings, 1 reply; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13883 - time.cgi UPDATE_VALUE Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/time.cgi | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/time.cgi b/html/cgi-bin/time.cgi
index 04c1e771f..d465354bb 100644
--- a/html/cgi-bin/time.cgi
+++ b/html/cgi-bin/time.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2010 IPFire Team #
+# Copyright (C) 2010-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -78,6 +78,7 @@ if ($timesettings{'ACTION'} eq $Lang::tr{'save'})
if (!($timesettings{'UPDATE_VALUE'} =~ /^\d+$/) || $timesettings{'UPDATE_VALUE'} <= 0)
{
$errormessage = $Lang::tr{'invalid time period'};
+ $timesettings{'UPDATE_VALUE'} = 0;
goto ERROR;
}
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* Re: [PATCH 07/16] time.cgi: Fixes bug 13883
2025-09-25 11:12 ` [PATCH 07/16] time.cgi: Fixes bug 13883 Adolf Belka
@ 2025-09-25 13:45 ` Bernhard Bitsch
0 siblings, 0 replies; 24+ messages in thread
From: Bernhard Bitsch @ 2025-09-25 13:45 UTC (permalink / raw)
To: development
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13883 - time.cgi UPDATE_VALUE Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> html/cgi-bin/time.cgi | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/html/cgi-bin/time.cgi b/html/cgi-bin/time.cgi
> index 04c1e771f..d465354bb 100644
> --- a/html/cgi-bin/time.cgi
> +++ b/html/cgi-bin/time.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2010 IPFire Team #
> +# Copyright (C) 2010-2025 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -78,6 +78,7 @@ if ($timesettings{'ACTION'} eq $Lang::tr{'save'})
> if (!($timesettings{'UPDATE_VALUE'} =~ /^\d+$/) || $timesettings{'UPDATE_VALUE'} <= 0)
> {
> $errormessage = $Lang::tr{'invalid time period'};
> + $timesettings{'UPDATE_VALUE'} = 0;
> goto ERROR;
> }
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 08/16] ddns.cgi: Fixes bug 13884
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (5 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 07/16] time.cgi: Fixes bug 13883 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 13:50 ` Bernhard Bitsch
2025-09-25 11:12 ` [PATCH 09/16] qos.cgi: Fixes bug 13885 Adolf Belka
` (8 subsequent siblings)
15 siblings, 1 reply; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13884 - ddns.cgi LOGIN PASSWORD SERVICE Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/ddns.cgi | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi
index 34475b75c..60565da3f 100644
--- a/html/cgi-bin/ddns.cgi
+++ b/html/cgi-bin/ddns.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2014 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -226,6 +226,9 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::
flock FILE, 2;
# Add account data to the file.
+ $settings{'SERVICE'} = &Header::escape(($settings{'SERVICE'});
+ $settings{'LOGIN'} = &Header::escape(($settings{'LOGIN'});
+ $settings{'PASSWORD'} = &Header::escape(($settings{'PASSWORD'});
print FILE "$settings{'SERVICE'},$hostname,$domain,$settings{'PROXY'},$settings{'WILDCARDS'},$settings{'LOGIN'},$settings{'PASSWORD'},$settings{'ENABLED'}\n";
# Close file after writing.
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* Re: [PATCH 08/16] ddns.cgi: Fixes bug 13884
2025-09-25 11:12 ` [PATCH 08/16] ddns.cgi: Fixes bug 13884 Adolf Belka
@ 2025-09-25 13:50 ` Bernhard Bitsch
0 siblings, 0 replies; 24+ messages in thread
From: Bernhard Bitsch @ 2025-09-25 13:50 UTC (permalink / raw)
To: development
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13884 - ddns.cgi LOGIN PASSWORD SERVICE Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> html/cgi-bin/ddns.cgi | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi
> index 34475b75c..60565da3f 100644
> --- a/html/cgi-bin/ddns.cgi
> +++ b/html/cgi-bin/ddns.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2014 IPFire Team <info@ipfire.org> #
> +# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -226,6 +226,9 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::
> flock FILE, 2;
>
> # Add account data to the file.
> + $settings{'SERVICE'} = &Header::escape(($settings{'SERVICE'});
> + $settings{'LOGIN'} = &Header::escape(($settings{'LOGIN'});
> + $settings{'PASSWORD'} = &Header::escape(($settings{'PASSWORD'});
> print FILE "$settings{'SERVICE'},$hostname,$domain,$settings{'PROXY'},$settings{'WILDCARDS'},$settings{'LOGIN'},$settings{'PASSWORD'},$settings{'ENABLED'}\n";
>
> # Close file after writing.
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 09/16] qos.cgi: Fixes bug 13885
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (6 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 08/16] ddns.cgi: Fixes bug 13884 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 11:12 ` [PATCH 10/16] calamaris.dat: Fixes bug 13886 Adolf Belka
` (7 subsequent siblings)
15 siblings, 0 replies; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13885 - qos.cgi INC_SPD OUT_SPD DEFCLASS_INC DEFCLASS_OUT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/qos.cgi | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/qos.cgi b/html/cgi-bin/qos.cgi
index 52392be08..8400bafdf 100644
--- a/html/cgi-bin/qos.cgi
+++ b/html/cgi-bin/qos.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -671,6 +671,8 @@ END
END
;
if (($qossettings{'OUT_SPD'} ne '') && ($qossettings{'INC_SPD'} ne '')) {
+ $qossettings{'OUT_SPD'} = &Header::escape($qossettings{'OUT_SPD'});
+ $qossettings{'INC_SPD'} = &Header::escape($qossettings{'INC_SPD'});
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%'>
@@ -683,6 +685,8 @@ END
;
}
if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')) {
+ $qossettings{'DEFCLASS_OUT'} = &Header::escape($qossettings{'DEFCLASS_OUT'});
+ $qossettings{'DEFCLASS_INC'} = &Header::escape($qossettings{'DEFCLASS_INC'});
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%'>
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* [PATCH 10/16] calamaris.dat: Fixes bug 13886
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (7 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 09/16] qos.cgi: Fixes bug 13885 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 11:12 ` [PATCH 11/16] urlfilter.cgi: Fixes bugs 13887, 13888 & 13889 Adolf Belka
` (6 subsequent siblings)
15 siblings, 0 replies; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13886 - calamaris.dat Multiple Parameters Command Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/logs.cgi/calamaris.dat | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/html/cgi-bin/logs.cgi/calamaris.dat b/html/cgi-bin/logs.cgi/calamaris.dat
index dcc812e47..1c8e4b68e 100644
--- a/html/cgi-bin/logs.cgi/calamaris.dat
+++ b/html/cgi-bin/logs.cgi/calamaris.dat
@@ -170,6 +170,10 @@ if ($reportsettings{'ACTION'} eq $Lang::tr{'calamaris create report'})
if ($reportsettings{'RUN_BACKGROUND'} eq 'on') { $commandline.=" &"; }
+ if (!($commandline =~ /^[a-zA-Z0-9-\s]+$/))
+ {
+ die "Invalid input in\"$commandline\"";
+ }
system("${General::swroot}/proxy/calamaris/bin/mkreport $commandline")
}
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* [PATCH 11/16] urlfilter.cgi: Fixes bugs 13887, 13888 & 13889
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (8 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 10/16] calamaris.dat: Fixes bug 13886 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 11:12 ` [PATCH 12/16] config.dat: Fixes bug 13890 Adolf Belka
` (5 subsequent siblings)
15 siblings, 0 replies; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13887 - urlfilter.cgi BE_NAME Command Injection
Fixes: bug 13888 - urlfilter.cgi USERQUOTA QUOTA_USERS Stored Cross-Site Scripting
Fixes: bug 13889 - urlfilter.cgi TIMECONSTRAINT SRC DST COMMENT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/urlfilter.cgi | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/urlfilter.cgi b/html/cgi-bin/urlfilter.cgi
index 1ced06e26..2467f297c 100644
--- a/html/cgi-bin/urlfilter.cgi
+++ b/html/cgi-bin/urlfilter.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2005-2010 IPFire Team #
+# Copyright (C) 2005-2025 IPFire Team #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -576,7 +576,7 @@ if (($uqsettings{'MODE'} eq 'USERQUOTA') && ($uqsettings{'ACTION'} eq $Lang::tr{
$_ = $uqsettings{'QUOTA_USERS'};
chomp; s/\n/|/g;
- my $quota_users = $_;
+ my $quota_users = &Header::escape($_);
if ($uqsettings{'QUOTA_USERS'} =~ /\\/)
{
@@ -936,6 +936,11 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter install blacklist'}) && ($bes
close FILE;
# XXX uses globbing
+ if(!($besettings{'BE_NAME'} =~ /^[a-zA-Z0-9-_]+$/))
+ {
+ $errormessage = 'Invalid blacklist name (use only alphanumeric characters plus hyphens or underscores)';
+ goto ERROR;
+ }
system("rm -f $dbdir/$besettings{'BE_NAME'}/*.db");
&General::system("/usr/bin/squidGuard", "-c", "$editdir/install.conf", "-C", "all");
# XXX uses globbing
@@ -2047,6 +2052,10 @@ foreach $line (@tclist)
if ($temp[7] eq 'on') { $time.=$Lang::tr{'urlfilter sun'}; } else { $time.='='; }
$time=$time.' '.$temp[8].':'.$temp[9].' to '.$temp[10].':'.$temp[11];
+ $temp[12] = &Header::escape($temp[12]);
+ $temp[13] = &Header::escape($temp[13]);
+ $temp[16] = &Header::escape($temp[16]);
+
print <<END
<td align='center'>$temp[0]</td>
<td align='center' nowrap>$time</td>
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* [PATCH 12/16] config.dat: Fixes bug 13890
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (9 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 11/16] urlfilter.cgi: Fixes bugs 13887, 13888 & 13889 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 11:12 ` [PATCH 13/16] mail.cgi: Fixes bug 13891 Adolf Belka
` (4 subsequent siblings)
15 siblings, 0 replies; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13890 - config.dat REMOTELOG_ADDR Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/logs.cgi/config.dat | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a/html/cgi-bin/logs.cgi/config.dat b/html/cgi-bin/logs.cgi/config.dat
index aed0db9cf..e4b173ffb 100644
--- a/html/cgi-bin/logs.cgi/config.dat
+++ b/html/cgi-bin/logs.cgi/config.dat
@@ -1,13 +1,23 @@
#!/usr/bin/perl
-#
-# IPFire CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# (c) The IPFire Team
-#
-# $Id: config.dat,v 1.2.2.10 2005/06/14 12:32:07 eoberlander Exp $
-#
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
use strict;
@@ -143,6 +153,7 @@ END
&Header::closebox();
&Header::openbox('100%', 'left', $Lang::tr{'remote logging'});
+$logsettings{'REMOTELOG_ADDR'} = &Header::escape($logsettings{'REMOTELOG_ADDR'});
print <<END
<table width='100%'>
<tr>
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* [PATCH 13/16] mail.cgi: Fixes bug 13891
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (10 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 12/16] config.dat: Fixes bug 13890 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 11:12 ` [PATCH 14/16] dns.cgi: Fixes bug 13892 Adolf Belka
` (3 subsequent siblings)
15 siblings, 0 replies; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13891 - mail.cgi txt_mailuser txt_mailpass Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/mail.cgi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi
index 0ed3dfeca..aae4abc31 100644
--- a/html/cgi-bin/mail.cgi
+++ b/html/cgi-bin/mail.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -102,8 +102,8 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}"){ #SaveButton on configsite
$mail{'RECIPIENT'} = $cgiparams{'txt_recipient'};
if ($cgiparams{'txt_mailuser'} && $cgiparams{'txt_mailpass'}) {
- $auth{'AUTHNAME'} = $cgiparams{'txt_mailuser'};
- $auth{'AUTHPASS'} = $cgiparams{'txt_mailpass'};
+ $auth{'AUTHNAME'} = &Header::escape($cgiparams{'txt_mailuser'});
+ $auth{'AUTHPASS'} = &Header::escape($cgiparams{'txt_mailpass'});
$auth{'AUTHHOST'} = $cgiparams{'txt_mailserver'};
print TXT1 "$auth{'AUTHNAME'}|$auth{'AUTHHOST'}:$auth{'AUTHPASS'}\n";
}
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* [PATCH 14/16] dns.cgi: Fixes bug 13892
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (11 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 13/16] mail.cgi: Fixes bug 13891 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 11:12 ` [PATCH 15/16] proxy.cgi: Fixes bug 13893 Adolf Belka
` (2 subsequent siblings)
15 siblings, 0 replies; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13892 - dns.cgi TLS_HOSTNAME Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/dns.cgi | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi
index 0d3b14797..a4f1c719e 100644
--- a/html/cgi-bin/dns.cgi
+++ b/html/cgi-bin/dns.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2005-2024 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2005-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -187,6 +187,7 @@ if (($cgiparams{'SERVERS'} eq $Lang::tr{'save'}) || ($cgiparams{'SERVERS'} eq $L
}
# Add/Modify the entry to/in the dns_servers hash.
+ $cgiparams{'TLS_HOSTNAME'} = &Header::escape($cgiparams{'TLS_HOSTNAME'});
$dns_servers{$id} = ["$cgiparams{'NAMESERVER'}", "$cgiparams{'TLS_HOSTNAME'}", "$status", "$cgiparams{'REMARK'}"];
# Write the changed hash to the config file.
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* [PATCH 15/16] proxy.cgi: Fixes bug 13893
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (12 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 14/16] dns.cgi: Fixes bug 13892 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 11:12 ` [PATCH 16/16] proxy.cgi: Further fix for " Adolf Belka
2025-09-25 12:47 ` [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Bernhard Bitsch
15 siblings, 0 replies; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/proxy.cgi | 1 +
1 file changed, 1 insertion(+)
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index bdce2fa66..1ade39381 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3973,6 +3973,7 @@ END
{
print FILE " $mainsettings{'HOSTNAME'}.$mainsettings{'DOMAINNAME'}\n\n";
} else {
+ $proxysettings{'VISIBLE_HOSTNAME'} = &Header::escape($proxysettings{'VISIBLE_HOSTNAME'});
print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
}
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* [PATCH 16/16] proxy.cgi: Further fix for bug 13893
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (13 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 15/16] proxy.cgi: Fixes bug 13893 Adolf Belka
@ 2025-09-25 11:12 ` Adolf Belka
2025-09-25 12:47 ` [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Bernhard Bitsch
15 siblings, 0 replies; 24+ messages in thread
From: Adolf Belka @ 2025-09-25 11:12 UTC (permalink / raw)
To: development; +Cc: Adolf Belka
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/proxy.cgi | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index 1ade39381..3fbd78d2c 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3977,8 +3977,16 @@ END
print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
}
- if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; }
- if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; }
+ if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq ''))
+ {
+ $proxysettings{'ADMIN_MAIL_ADDRESS'} = &Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'});
+ print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n";
+ }
+ if (!($proxysettings{'ADMIN_PASSWORD'} eq ''))
+ {
+ $proxysettings{'ADMIN_PASSWORD'} = &Header::escape($proxysettings{'ADMIN_PASSWORD'});
+ print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n";
+ }
print FILE "\n";
print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n";
@@ -3994,8 +4002,13 @@ END
# login=*:password ($proxysettings{'FORWARD_USERNAME'} eq 'on')
if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS'))
{
+ $proxysettings{'UPSTREAM_USER'} = &Header::escape($proxysettings{'UPSTREAM_USER'});
print FILE " login=$proxysettings{'UPSTREAM_USER'}";
- if ($proxy1 eq 'YES') { print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; }
+ if ($proxy1 eq 'YES')
+ {
+ $proxysettings{'UPSTREAM_PASSWORD'} = &Header::escape($proxysettings{'UPSTREAM_PASSWORD'});
+ print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}";
+ }
}
elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; }
--
2.51.0
^ permalink raw reply [flat|nested] 24+ messages in thread* Re: [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877
2025-09-25 11:12 [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Adolf Belka
` (14 preceding siblings ...)
2025-09-25 11:12 ` [PATCH 16/16] proxy.cgi: Further fix for " Adolf Belka
@ 2025-09-25 12:47 ` Bernhard Bitsch
15 siblings, 0 replies; 24+ messages in thread
From: Bernhard Bitsch @ 2025-09-25 12:47 UTC (permalink / raw)
To: development
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
> Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> html/cgi-bin/fwhosts.cgi | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
> index 953f81e5f..a666969b0 100644
> --- a/html/cgi-bin/fwhosts.cgi
> +++ b/html/cgi-bin/fwhosts.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
> +# Copyright (C) 2013-2025 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -714,7 +714,7 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp')
> }
>
> if ($fwhostsettings{'update'} eq 'on'){
> - @target=$fwhostsettings{'COUNTRY_CODE'};
> + @target=&Header::escape($fwhostsettings{'COUNTRY_CODE'});
> $type='Location Group';
>
> #check if host/net exists in grp
> @@ -796,7 +796,7 @@ if ($fwhostsettings{'ACTION'} eq 'saveservice')
> foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";}
> $customservice{$key}[0] = $fwhostsettings{'SRV_NAME'};
> $customservice{$key}[1] = $fwhostsettings{'SRV_PORT'};
> - $customservice{$key}[2] = $fwhostsettings{'PROT'};
> + $customservice{$key}[2] = &Header::escape($fwhostsettings{'PROT'});
> $customservice{$key}[3] = $ICMP;
> &General::writehasharray("$configsrv", \%customservice );
> #reset fields
^ permalink raw reply [flat|nested] 24+ messages in thread