Project

General

Profile

Actions

Bug #11843

closed

Potential XSS vulnerability in Captive Portal ``redirurl`` handling

Added by Jim Pingle almost 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Very High
Assignee:
Category:
Captive Portal
Target version:
Start date:
04/22/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05.1
Release Notes:
Default
Affected Version:
All
Affected Architecture:
All

Description

The value of redirurl is passed as-is from the client URL into a page result served to users in certain cases. If a logged-in captive portal user visits a manually crafted URL which contains a malicious value for redirurl, and then follows the resulting link, it could lead to JS code being executed in their browser.

It does not appear to be possible to automatically trigger the behavior or to have it be populated from the CP configuration, due to other unrelated issues (#11842 for one example) and browser behaviors. For example, the browser would refuse to redirect and instead would display a protocol violation error.

To test the behavior:

  • Configure and enable a basic captive portal instance for LAN (authentication can be disabled to keep it simple)
  • From a client on LAN, login to the portal
  • From the client, load the following URL: <portal URL>/index.php?zone=<zone name>&redirurl=javascript:alert(location)
    For example: http://192.168.1.1:8002/index.php?zone=guests&redirurl=javascript:alert(location)
  • The page will output a message stating "You are connected" including a link to the contents of redirurl
  • From the client, click the link. The JS is executed.

If the contents of redirurl are not a URL, the link should be omitted.

Actions

Also available in: Atom PDF