captive: Fix potential authenticated XSS in title processing

An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the
"Title of Login Page" text box or "TITLE" parameter. This is due to
a lack of user input validation in "Title of Login Page" text box
or "TITLE" parameter. It allows an authenticated WebGUI user with
privileges for the affected page to execute Stored Cross-site
Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which
helps attacker to redirect the victim to a attacker's page.

The Stored XSS get prompted on the victims page whenever victim
tries to access the Captive Portal page.

An attacker get access to the victim's session by performing the
CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.

This attack can possibly spoof the victim's informations.

Fixes: #12071
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/captive.cgi b/html/cgi-bin/captive.cgi
index 65cc349baf8e76a68b2e7aa5a7cc88bbf164d79c..b7c42e797e4fb6964f3755679da8287716123740 100755 (executable)
--- a/html/cgi-bin/captive.cgi
+++ b/html/cgi-bin/captive.cgi
@@ -104,7 +104,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
        $settings{'ENABLE_GREEN'}               = $cgiparams{'ENABLE_GREEN'};
        $settings{'ENABLE_BLUE'}                = $cgiparams{'ENABLE_BLUE'};
        $settings{'AUTH'}                               = $cgiparams{'AUTH'};
-       $settings{'TITLE'}                              = $cgiparams{'TITLE'};
+       $settings{'TITLE'}                      = &Header::escape($cgiparams{'TITLE'});
        $settings{'COLOR'}                      = $cgiparams{'COLOR'};
        $settings{'SESSION_TIME'}               = $cgiparams{'SESSION_TIME'};