* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 88e64c23c16a8f84d256c3d3fb97f46cf383a644
@ 2019-05-10 8:05 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2019-05-10 8:05 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 3336 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 88e64c23c16a8f84d256c3d3fb97f46cf383a644 (commit)
from 1d6bc7a0dc528eda73e7b4c2a2cd5112c25ad304 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 88e64c23c16a8f84d256c3d3fb97f46cf383a644
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu May 9 14:51:40 2019 +0100
routing: Fix potential authenticated XSS in input processing
An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://192.168.0.241:444/cgi-bin/routing.cgi) Routing Table Entries
via the "Remark" text box or "remark" parameter. This is due to a
lack of user input validation in "Remark" text box or "remark"
parameter. It allows an authenticated WebGUI user with privileges
for the affected page to execute Stored Cross-site Scripting in
the Routing Table Entries (/cgi-bin/routing.cgi), which helps
attacker to redirect the victim to a attacker's phishing page.
The Stored XSS get prompted on the victims page whenever victim
tries to access the Routing Table Entries configuraiton page.
An attacker get access to the victim's session by performing
the CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.
This attack can possibly spoof the victim's informations.
Fixes: #12072
Reported-by: Dharmesh Baskaran <dharmesh201093(a)gmail.com>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/132/filelists/files | 1 +
html/cgi-bin/routing.cgi | 3 +++
2 files changed, 4 insertions(+)
Difference in files:
diff --git a/config/rootfiles/core/132/filelists/files b/config/rootfiles/core/132/filelists/files
index f949492fa..67d009f9c 100644
--- a/config/rootfiles/core/132/filelists/files
+++ b/config/rootfiles/core/132/filelists/files
@@ -9,6 +9,7 @@ srv/web/ipfire/cgi-bin/captive.cgi
srv/web/ipfire/cgi-bin/credits.cgi
srv/web/ipfire/cgi-bin/firewall.cgi
srv/web/ipfire/cgi-bin/proxy.cgi
+srv/web/ipfire/cgi-bin/routing.cgi
srv/web/ipfire/cgi-bin/zoneconf.cgi
usr/lib/firewall/rules.pl
usr/sbin/convert-snort
diff --git a/html/cgi-bin/routing.cgi b/html/cgi-bin/routing.cgi
index f2014e2e1..be21007fa 100644
--- a/html/cgi-bin/routing.cgi
+++ b/html/cgi-bin/routing.cgi
@@ -137,6 +137,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'add'}) {
$errormessage = $Lang::tr{'invalid ip'}. " - ".$Lang::tr{'gateway ip'};
}
+ # Escape input in REMARK field
+ $settings{'REMARK'} = &Header::escape($settings{'REMARK'});
+
#set networkip if not already correctly defined
my($ip,$cidr) = split(/\//,$settings{'IP'});
my $netip=&General::getnetworkip($ip,$cidr);
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-05-10 8:05 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-10 8:05 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 88e64c23c16a8f84d256c3d3fb97f46cf383a644 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox