Bug #13262
closed
File browser on ``diag_edit.php`` does not encode filenames before display
Added by Jim Pingle almost 2 years ago.
Updated about 1 year ago.
Plus Target Version:
23.01
Description
The file browser on diag_edit.php does not encode filenames before display.
A user who can create files with arbitrary names can break rendering of the page though exploit potential is minimized by the fact that `/` is not valid in filenames so tags cannot be closed.
A file with the following name can trigger a JS alert: <img src=src onerror=alert(1)>, for example.
- Status changed from New to Feedback
- % Done changed from 0 to 100
- Status changed from Feedback to Resolved
Tested on
22.09-DEVELOPMENT (amd64)
built on Mon Jun 13 06:21:48 UTC 2022
FreeBSD 12.3-STABLE
and it's no longer an issue. Marking as resolved.
- Status changed from Resolved to In Progress
- % Done changed from 100 to 90
Someone else reported this isn't completely solved. There is one place where $fqpn is used without encoding, but the required filename to exploit is different:
touch '"><img src=src onerror=alert(3) foo=foo>'
- Status changed from In Progress to Feedback
- % Done changed from 90 to 100
- Status changed from Feedback to Resolved
Tested on the:
2.7.0-DEVELOPMENT (amd64)
built on Thu Oct 06 06:04:33 UTC 2022
FreeBSD 14.0-CURRENT
It's fixed. I am marking this ticket resolved.
- Plus Target Version changed from 22.09 to 23.01
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by