From: Michael Tremer Date: Tue, 7 May 2019 20:36:21 +0000 (+0100) Subject: captive: Fix potential authenticated XSS in title processing X-Git-Tag: v2.23-core133~150 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=462bc3d1595df12dd16a5d93f86a48e5bf33178b;ds=sidebyside captive: Fix potential authenticated XSS in title processing An authenticated Stored XSS (Cross-site Scripting) exists in the (https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the "Title of Login Page" text box or "TITLE" parameter. This is due to a lack of user input validation in "Title of Login Page" text box or "TITLE" parameter. It allows an authenticated WebGUI user with privileges for the affected page to execute Stored Cross-site Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which helps attacker to redirect the victim to a attacker's page. The Stored XSS get prompted on the victims page whenever victim tries to access the Captive Portal page. An attacker get access to the victim's session by performing the CSRF and gather the cookie and session id's or possibly can change the victims configuration using this Stored XSS. This attack can possibly spoof the victim's informations. Fixes: #12071 Reported-by: Dharmesh Baskaran Signed-off-by: Michael Tremer --- diff --git a/html/cgi-bin/captive.cgi b/html/cgi-bin/captive.cgi index 65cc349baf..b7c42e797e 100755 --- a/html/cgi-bin/captive.cgi +++ b/html/cgi-bin/captive.cgi @@ -104,7 +104,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $settings{'ENABLE_GREEN'} = $cgiparams{'ENABLE_GREEN'}; $settings{'ENABLE_BLUE'} = $cgiparams{'ENABLE_BLUE'}; $settings{'AUTH'} = $cgiparams{'AUTH'}; - $settings{'TITLE'} = $cgiparams{'TITLE'}; + $settings{'TITLE'} = &Header::escape($cgiparams{'TITLE'}); $settings{'COLOR'} = $cgiparams{'COLOR'}; $settings{'SESSION_TIME'} = $cgiparams{'SESSION_TIME'};