git.ipfire.org Git - ipfire-2.x.git/commit

author	Adolf Belka <adolf.belka@ipfire.org>
	Thu, 25 Sep 2025 11:12:52 +0000 (13:12 +0200)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Thu, 25 Sep 2025 14:03:35 +0000 (14:03 +0000)
commit	e22ecef885c34462565ae20020a32a27d0585dc3
tree	81abcba3c8bec4baef171edfd50b7d5ff5a8748b	tree \| snapshot
parent	4cf0694e55305e368c4ca28da2db7481c8f08c5a	commit \| diff

proxy.cgi: Further fix for bug 13893

- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
   for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
   description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
   ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
   which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
   bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
   ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD

Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>