Project

General

Profile

Actions

Bug #12725

closed

Potential XSS in ``pkg.php`` via ``pkg_filter``

Added by Jim Pingle over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Package System
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The pkg_filter parameter on pkg.php is not encoded before being printed back to the user, leading to a potential XSS.

Additionally, submitting an invalid regex pattern prints an ugly PHP error on the page, for example:

Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456

Both problems are solved by sanitizing the content of the variable and also by removing unnecessary output of the variable in question.

The simplest way to reproduce the problem is:

  • Install a package such as FreeRADIUS which uses the list feature of pkg.php on its Users tab.
  • Create a user or two if none exist
  • Submit a string in the "Filter text" field such as --><script>alert('XSS')</script><!-- to check for XSS and PHP error
  • Submit a string in the "Filter text" field such as one/two to reproduce the PHP error without XSS

Before the fix is in place, the first test will produce a JavaScript alert with the text "XSS" along with a PHP error on the page above the "Filter by" line. The second test will produce the PHP error but not the JS alert.

After the fix is in place, neither string will produce an error and filter text that matches an existing account will filter the list appropriately.

Actions

Also available in: Atom PDF