Bug #12725
closedPotential XSS in ``pkg.php`` via ``pkg_filter``
100%
Description
The pkg_filter
parameter on pkg.php
is not encoded before being printed back to the user, leading to a potential XSS.
Additionally, submitting an invalid regex pattern prints an ugly PHP error on the page, for example:
Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456
Both problems are solved by sanitizing the content of the variable and also by removing unnecessary output of the variable in question.
The simplest way to reproduce the problem is:
- Install a package such as FreeRADIUS which uses the list feature of pkg.php on its Users tab.
- Create a user or two if none exist
- Submit a string in the "Filter text" field such as
--><script>alert('XSS')</script><!--
to check for XSS and PHP error - Submit a string in the "Filter text" field such as
one/two
to reproduce the PHP error without XSS
Before the fix is in place, the first test will produce a JavaScript alert with the text "XSS" along with a PHP error on the page above the "Filter by" line. The second test will produce the PHP error but not the JS alert.
After the fix is in place, neither string will produce an error and filter text that matches an existing account will filter the list appropriately.
Updated by Jim Pingle almost 3 years ago
- Status changed from New to Pull Request Review
Updated by Jim Pingle almost 3 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 5d82cce0d615a76b738798577a28a15803e59aeb.
Updated by Jim Pingle almost 3 years ago
- Target version set to 2.6.0
- Plus Target Version set to 22.01
Updated by Jim Pingle almost 3 years ago
- Description updated (diff)
Updated description with better info on reproducing the problem and confirming the fix.