From: Adolf Belka Date: Thu, 25 Sep 2025 11:12:52 +0000 (+0200) Subject: proxy.cgi: Further fix for bug 13893 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ceb7c7e8b3191109e7dd7c84444dce126996ee2;p=ipfire-2.x.git proxy.cgi: Further fix for bug 13893 - Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the description for that bug. - bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi which is incorrect except for TLS_HOSTNAME. - The other parameters are from proxy.cgi but no mitigation was shown for those in the bug report. - This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer --- diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 1ade39381..3fbd78d2c 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -3977,8 +3977,16 @@ END print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n"; } - if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; } - if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; } + if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) + { + $proxysettings{'ADMIN_MAIL_ADDRESS'} = &Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'}); + print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; + } + if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) + { + $proxysettings{'ADMIN_PASSWORD'} = &Header::escape($proxysettings{'ADMIN_PASSWORD'}); + print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; + } print FILE "\n"; print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n"; @@ -3994,8 +4002,13 @@ END # login=*:password ($proxysettings{'FORWARD_USERNAME'} eq 'on') if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS')) { + $proxysettings{'UPSTREAM_USER'} = &Header::escape($proxysettings{'UPSTREAM_USER'}); print FILE " login=$proxysettings{'UPSTREAM_USER'}"; - if ($proxy1 eq 'YES') { print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; } + if ($proxy1 eq 'YES') + { + $proxysettings{'UPSTREAM_PASSWORD'} = &Header::escape($proxysettings{'UPSTREAM_PASSWORD'}); + print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; + } } elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; }