[git.ipfire.org] IPFire 2.x development tree branch, next, updated. f0e0056eef6ec387f986bd48d009d673863072e3

[git.ipfire.org] IPFire 2.x development tree branch, next, updated. f0e0056eef6ec387f986bd48d009d673863072e3

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3687 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  f0e0056eef6ec387f986bd48d009d673863072e3 (commit)
       via  462bc3d1595df12dd16a5d93f86a48e5bf33178b (commit)
      from  939f227e0b5275ac7deea30256a3a11b2b81e99a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f0e0056eef6ec387f986bd48d009d673863072e3
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Thu May 9 13:17:16 2019 +0100

    core132: Ship updated captive.cgi
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

commit 462bc3d1595df12dd16a5d93f86a48e5bf33178b
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue May 7 21:36:21 2019 +0100

    captive: Fix potential authenticated XSS in title processing
    
    An authenticated Stored XSS (Cross-site Scripting) exists in the
    (https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the
    "Title of Login Page" text box or "TITLE" parameter. This is due to
    a lack of user input validation in "Title of Login Page" text box
    or "TITLE" parameter. It allows an authenticated WebGUI user with
    privileges for the affected page to execute Stored Cross-site
    Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which
    helps attacker to redirect the victim to a attacker's page.
    
    The Stored XSS get prompted on the victims page whenever victim
    tries to access the Captive Portal page.
    
    An attacker get access to the victim's session by performing the
    CSRF and gather the cookie and session id's or possibly can
    change the victims configuration using this Stored XSS.
    
    This attack can possibly spoof the victim's informations.
    
    Fixes: #12071
    Reported-by: Dharmesh Baskaran <dharmesh201093(a)gmail.com>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/rootfiles/core/132/filelists/files | 1 +
 html/cgi-bin/captive.cgi                  | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

Difference in files:
diff --git a/config/rootfiles/core/132/filelists/files b/config/rootfiles/core/132/filelists/files
index 9efd7a429..f949492fa 100644
--- a/config/rootfiles/core/132/filelists/files
+++ b/config/rootfiles/core/132/filelists/files
@@ -5,6 +5,7 @@ etc/rc.d/init.d/suricata
 etc/suricata/suricata.yaml
 opt/pakfire/lib/functions.pl
 opt/pakfire/pakfire
+srv/web/ipfire/cgi-bin/captive.cgi
 srv/web/ipfire/cgi-bin/credits.cgi
 srv/web/ipfire/cgi-bin/firewall.cgi
 srv/web/ipfire/cgi-bin/proxy.cgi
diff --git a/html/cgi-bin/captive.cgi b/html/cgi-bin/captive.cgi
index 65cc349ba..b7c42e797 100755
--- a/html/cgi-bin/captive.cgi
+++ b/html/cgi-bin/captive.cgi
@@ -104,7 +104,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
 	$settings{'ENABLE_GREEN'}		= $cgiparams{'ENABLE_GREEN'};
 	$settings{'ENABLE_BLUE'}		= $cgiparams{'ENABLE_BLUE'};
 	$settings{'AUTH'}				= $cgiparams{'AUTH'};
-	$settings{'TITLE'}				= $cgiparams{'TITLE'};
+	$settings{'TITLE'}			= &Header::escape($cgiparams{'TITLE'});
 	$settings{'COLOR'}			= $cgiparams{'COLOR'};
 	$settings{'SESSION_TIME'}		= $cgiparams{'SESSION_TIME'};
 


hooks/post-receive
--
IPFire 2.x development tree