Bug #11843
closedPotential XSS vulnerability in Captive Portal ``redirurl`` handling
100%
Description
The value of redirurl
is passed as-is from the client URL into a page result served to users in certain cases. If a logged-in captive portal user visits a manually crafted URL which contains a malicious value for redirurl
, and then follows the resulting link, it could lead to JS code being executed in their browser.
It does not appear to be possible to automatically trigger the behavior or to have it be populated from the CP configuration, due to other unrelated issues (#11842 for one example) and browser behaviors. For example, the browser would refuse to redirect and instead would display a protocol violation error.
To test the behavior:
- Configure and enable a basic captive portal instance for LAN (authentication can be disabled to keep it simple)
- From a client on LAN, login to the portal
- From the client, load the following URL:
<portal URL>/index.php?zone=<zone name>&redirurl=javascript:alert(location)
For example:http://192.168.1.1:8002/index.php?zone=guests&redirurl=javascript:alert(location)
- The page will output a message stating "You are connected" including a link to the contents of
redirurl
- From the client, click the link. The JS is executed.
If the contents of redirurl
are not a URL, the link should be omitted.
Updated by Jim Pingle over 3 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset de9ba32bd3531ccf74e143391deaacb77e085097.
Updated by Jim Pingle over 3 years ago
- Subject changed from Potential XSS vulnerability in Captive Portal redirurl handling to Potential XSS vulnerability in Captive Portal ``redirurl`` handling
Updating subject for release notes.
Updated by Jim Pingle over 3 years ago
- Target version changed from 2.6.0 to 2.5.2
Updated by Steve Wheeler over 3 years ago
- Status changed from Feedback to Resolved
Tested this against 21.05.r.20210526.1807.
Whilst logged in:
10.2.246.12 ac:bc:32:84:78:95 unauthenticated 06/01/2021 21:50:03
Tested:
http://10.2.246.1:8002/index.php?zone=Test_Zone&redirurl=javascript:alert(location)
Resulting page is:
You are connected. <br/>
Updated by Jim Pingle about 3 years ago
- Status changed from Resolved to In Progress
- Target version changed from 2.5.2 to 2.6.0
- Private changed from No to Yes
- Plus Target Version changed from 21.05 to 21.09
Reopening since the fix here is not complete. The URL scheme isn't validated here so it is still possible to trigger by using a redirurl string such as javascript:/**/alert(1)
.
- Start with a fresh install, enable captive portal (zone=guest, LAN) with no authentication.
- Load a client on LAN and login to the portal
- In the browser, go to the following URL:
http://192.168.1.1:8002/index.php?zone=guest&redirurl=javascript:/**/alert(1)
Currently is_URL()
doesn't have a way to validate the value of the URL scheme it only checks the general form. In this case only HTTP and HTTPS links make sense for usage as captive portal redirects, so it should have a way to limit validation. We can't change the default behavior of is_URL()
as other areas of the code may be relying on its current behavior and we do not want to have to chase down and test the other cases.
I have a correction ready to commit, will push shortly.
Updated by Jim Pingle about 3 years ago
- Status changed from In Progress to Feedback
Applied in changeset c416f6fab10f149b15a352dfb609f86a98f6103d.
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 21.05.1
Updated by Jim Pingle about 3 years ago
- Status changed from Feedback to Closed
I can no longer reproduce the problem on 2.6.0 or 21.05.1.