Project

General

Profile

Actions

Bug #13262

closed

File browser on ``diag_edit.php`` does not encode filenames before display

Added by Jim Pingle almost 2 years ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Diagnostics
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The file browser on diag_edit.php does not encode filenames before display.

A user who can create files with arbitrary names can break rendering of the page though exploit potential is minimized by the fact that `/` is not valid in filenames so tags cannot be closed.

A file with the following name can trigger a JS alert: <img src=src onerror=alert(1)>, for example.

Actions #1

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Christopher Cope almost 2 years ago

  • Status changed from Feedback to Resolved

Tested on

22.09-DEVELOPMENT (amd64)
built on Mon Jun 13 06:21:48 UTC 2022
FreeBSD 12.3-STABLE

and it's no longer an issue. Marking as resolved.

Actions #3

Updated by Jim Pingle over 1 year ago

  • Status changed from Resolved to In Progress
  • % Done changed from 100 to 90

Someone else reported this isn't completely solved. There is one place where $fqpn is used without encoding, but the required filename to exploit is different:

touch '"><img src=src onerror=alert(3) foo=foo>'
Actions #5

Updated by Jim Pingle over 1 year ago

  • Status changed from In Progress to Feedback
  • % Done changed from 90 to 100
Actions #6

Updated by Danilo Zrenjanin over 1 year ago

  • Status changed from Feedback to Resolved

Tested on the:

2.7.0-DEVELOPMENT (amd64)
built on Thu Oct 06 06:04:33 UTC 2022
FreeBSD 14.0-CURRENT

It's fixed. I am marking this ticket resolved.

Actions #7

Updated by Jim Pingle about 1 year ago

  • Plus Target Version changed from 22.09 to 23.01
Actions #8

Updated by Jim Pingle about 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF