Project

General

Profile

Actions

Bug #12725

closed

Potential XSS in ``pkg.php`` via ``pkg_filter``

Added by Jim Pingle about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Package System
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The pkg_filter parameter on pkg.php is not encoded before being printed back to the user, leading to a potential XSS.

Additionally, submitting an invalid regex pattern prints an ugly PHP error on the page, for example:

Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456

Both problems are solved by sanitizing the content of the variable and also by removing unnecessary output of the variable in question.

The simplest way to reproduce the problem is:

  • Install a package such as FreeRADIUS which uses the list feature of pkg.php on its Users tab.
  • Create a user or two if none exist
  • Submit a string in the "Filter text" field such as --><script>alert('XSS')</script><!-- to check for XSS and PHP error
  • Submit a string in the "Filter text" field such as one/two to reproduce the PHP error without XSS

Before the fix is in place, the first test will produce a JavaScript alert with the text "XSS" along with a PHP error on the page above the "Filter by" line. The second test will produce the PHP error but not the JS alert.

After the fix is in place, neither string will produce an error and filter text that matches an existing account will filter the list appropriately.

Actions #1

Updated by Jim Pingle about 2 years ago

  • Private changed from No to Yes
Actions #2

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Jim Pingle about 2 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Jim Pingle about 2 years ago

  • Target version set to 2.6.0
  • Plus Target Version set to 22.01
Actions #6

Updated by Jim Pingle about 2 years ago

  • Description updated (diff)

Updated description with better info on reproducing the problem and confirming the fix.

Actions #7

Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Closed
Actions #8

Updated by Jim Pingle about 2 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF