captive: Fix potential authenticated XSS in title processing
authorMichael Tremer <michael.tremer@ipfire.org>
Tue, 7 May 2019 20:36:21 +0000 (21:36 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Thu, 9 May 2019 12:16:52 +0000 (13:16 +0100)
An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the
"Title of Login Page" text box or "TITLE" parameter. This is due to
a lack of user input validation in "Title of Login Page" text box
or "TITLE" parameter. It allows an authenticated WebGUI user with
privileges for the affected page to execute Stored Cross-site
Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which
helps attacker to redirect the victim to a attacker's page.

The Stored XSS get prompted on the victims page whenever victim
tries to access the Captive Portal page.

An attacker get access to the victim's session by performing the
CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.

This attack can possibly spoof the victim's informations.

Fixes: #12071
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
html/cgi-bin/captive.cgi

index 65cc349..b7c42e7 100755 (executable)
@@ -104,7 +104,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
        $settings{'ENABLE_GREEN'}               = $cgiparams{'ENABLE_GREEN'};
        $settings{'ENABLE_BLUE'}                = $cgiparams{'ENABLE_BLUE'};
        $settings{'AUTH'}                               = $cgiparams{'AUTH'};
-       $settings{'TITLE'}                              = $cgiparams{'TITLE'};
+       $settings{'TITLE'}                      = &Header::escape($cgiparams{'TITLE'});
        $settings{'COLOR'}                      = $cgiparams{'COLOR'};
        $settings{'SESSION_TIME'}               = $cgiparams{'SESSION_TIME'};