Actions
Bug #13262
closed
File browser on ``diag_edit.php`` does not encode filenames before display
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
Affected Architecture:
Description
The file browser on diag_edit.php does not encode filenames before display.
A user who can create files with arbitrary names can break rendering of the page though exploit potential is minimized by the fact that `/` is not valid in filenames so tags cannot be closed.
A file with the following name can trigger a JS alert: <img src=src onerror=alert(1)>, for example.
Updated by Jim Pingle over 2 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 1b5919c769ba736b44819f71ee1ddce06e2a50c5.
Updated by Christopher Cope over 2 years ago
- Status changed from Feedback to Resolved
Tested on
22.09-DEVELOPMENT (amd64) built on Mon Jun 13 06:21:48 UTC 2022 FreeBSD 12.3-STABLE
and it's no longer an issue. Marking as resolved.
Updated by Jim Pingle about 2 years ago
- Status changed from Resolved to In Progress
- % Done changed from 100 to 90
Someone else reported this isn't completely solved. There is one place where $fqpn is used without encoding, but the required filename to exploit is different:
touch '"><img src=src onerror=alert(3) foo=foo>'
Updated by Jim Pingle about 2 years ago
- Status changed from In Progress to Feedback
- % Done changed from 90 to 100
Applied in changeset 73ca6743954ac9f35ca293e3f2af63eac20cf32e.
Updated by Danilo Zrenjanin about 2 years ago
- Status changed from Feedback to Resolved
Tested on the:
2.7.0-DEVELOPMENT (amd64) built on Thu Oct 06 06:04:33 UTC 2022 FreeBSD 14.0-CURRENT
It's fixed. I am marking this ticket resolved.
Updated by Jim Pingle almost 2 years ago
- Plus Target Version changed from 22.09 to 23.01
Actions