From 6d107e8683fb816f0f63fd6022b30a277ea9d191 Mon Sep 17 00:00:00 2001 From: Adolf Belka Date: Thu, 2 Oct 2025 13:10:15 +0200 Subject: [PATCH] firewall.cgi: Fixes XSS potential - Related to CVE-2025-50975 - Fixes PROT - ruleremark was already escaped when firewall.cgi was initially merged back in Core Update 77. - SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as ports or port ranges. - std_net_tgt is a string defined in the code and not a variable - The variable key ignores any input that is not a digit and subsequently uses the next free rulenumber digit Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer --- html/cgi-bin/firewall.cgi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 5f1eac09e..20e6a95e4 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx # +# Copyright (C) 2013-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -2351,6 +2351,7 @@ sub saverule $fwdfwsettings{'ruleremark'}=~ s/,/;/g; utf8::decode($fwdfwsettings{'ruleremark'}); $fwdfwsettings{'ruleremark'}=&Header::escape($fwdfwsettings{'ruleremark'}); + $fwdfwsettings{'PROT'}=&Header::escape($fwdfwsettings{'PROT'}); if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; -- 2.47.3