Bug #11843
closed
Potential XSS vulnerability in Captive Portal ``redirurl`` handling
Added by Jim Pingle over 3 years ago.
Updated almost 3 years ago.
Plus Target Version:
21.05.1
Affected Architecture:
All
Description
The value of redirurl is passed as-is from the client URL into a page result served to users in certain cases. If a logged-in captive portal user visits a manually crafted URL which contains a malicious value for redirurl, and then follows the resulting link, it could lead to JS code being executed in their browser.
It does not appear to be possible to automatically trigger the behavior or to have it be populated from the CP configuration, due to other unrelated issues (#11842 for one example) and browser behaviors. For example, the browser would refuse to redirect and instead would display a protocol violation error.
To test the behavior:
- Configure and enable a basic captive portal instance for LAN (authentication can be disabled to keep it simple)
- From a client on LAN, login to the portal
- From the client, load the following URL:
<portal URL>/index.php?zone=<zone name>&redirurl=javascript:alert(location)
For example: http://192.168.1.1:8002/index.php?zone=guests&redirurl=javascript:alert(location)
- The page will output a message stating "You are connected" including a link to the contents of
redirurl
- From the client, click the link. The JS is executed.
If the contents of redirurl are not a URL, the link should be omitted.
- Description updated (diff)
- Status changed from New to Feedback
- % Done changed from 0 to 100
- Plus Target Version set to 21.05
- Subject changed from Potential XSS vulnerability in Captive Portal redirurl handling to Potential XSS vulnerability in Captive Portal ``redirurl`` handling
Updating subject for release notes.
- Target version changed from 2.6.0 to 2.5.2
- Status changed from Feedback to Resolved
Tested this against 21.05.r.20210526.1807.
Whilst logged in:
10.2.246.12 ac:bc:32:84:78:95 unauthenticated 06/01/2021 21:50:03
Tested:
http://10.2.246.1:8002/index.php?zone=Test_Zone&redirurl=javascript:alert(location)
Resulting page is:
You are connected.
<br/>
- Private changed from Yes to No
- Status changed from Resolved to In Progress
- Target version changed from 2.5.2 to 2.6.0
- Private changed from No to Yes
- Plus Target Version changed from 21.05 to 21.09
Reopening since the fix here is not complete. The URL scheme isn't validated here so it is still possible to trigger by using a redirurl string such as javascript:/**/alert(1).
Currently is_URL() doesn't have a way to validate the value of the URL scheme it only checks the general form. In this case only HTTP and HTTPS links make sense for usage as captive portal redirects, so it should have a way to limit validation. We can't change the default behavior of is_URL() as other areas of the code may be relying on its current behavior and we do not want to have to chase down and test the other cases.
I have a correction ready to commit, will push shortly.
- Status changed from In Progress to Feedback
- Plus Target Version changed from 21.09 to 21.05.1
- Status changed from Feedback to Closed
I can no longer reproduce the problem on 2.6.0 or 21.05.1.
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by 
Updated by