From: Michael Tremer Date: Thu, 9 May 2019 13:51:40 +0000 (+0100) Subject: routing: Fix potential authenticated XSS in input processing X-Git-Tag: v2.23-core133~144 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=88e64c23c16a8f84d256c3d3fb97f46cf383a644 routing: Fix potential authenticated XSS in input processing An authenticated Stored XSS (Cross-site Scripting) exists in the (https://192.168.0.241:444/cgi-bin/routing.cgi) Routing Table Entries via the "Remark" text box or "remark" parameter. This is due to a lack of user input validation in "Remark" text box or "remark" parameter. It allows an authenticated WebGUI user with privileges for the affected page to execute Stored Cross-site Scripting in the Routing Table Entries (/cgi-bin/routing.cgi), which helps attacker to redirect the victim to a attacker's phishing page. The Stored XSS get prompted on the victims page whenever victim tries to access the Routing Table Entries configuraiton page. An attacker get access to the victim's session by performing the CSRF and gather the cookie and session id's or possibly can change the victims configuration using this Stored XSS. This attack can possibly spoof the victim's informations. Fixes: #12072 Reported-by: Dharmesh Baskaran Signed-off-by: Michael Tremer --- diff --git a/config/rootfiles/core/132/filelists/files b/config/rootfiles/core/132/filelists/files index f949492fa7..67d009f9c0 100644 --- a/config/rootfiles/core/132/filelists/files +++ b/config/rootfiles/core/132/filelists/files @@ -9,6 +9,7 @@ srv/web/ipfire/cgi-bin/captive.cgi srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/firewall.cgi srv/web/ipfire/cgi-bin/proxy.cgi +srv/web/ipfire/cgi-bin/routing.cgi srv/web/ipfire/cgi-bin/zoneconf.cgi usr/lib/firewall/rules.pl usr/sbin/convert-snort diff --git a/html/cgi-bin/routing.cgi b/html/cgi-bin/routing.cgi index f2014e2e12..be21007fa8 100644 --- a/html/cgi-bin/routing.cgi +++ b/html/cgi-bin/routing.cgi @@ -137,6 +137,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'add'}) { $errormessage = $Lang::tr{'invalid ip'}. " - ".$Lang::tr{'gateway ip'}; } + # Escape input in REMARK field + $settings{'REMARK'} = &Header::escape($settings{'REMARK'}); + #set networkip if not already correctly defined my($ip,$cidr) = split(/\//,$settings{'IP'}); my $netip=&General::getnetworkip($ip,$cidr);