Project

General

Profile

Actions

Bug #14547

closed

``getserviceproviders.php`` does not always validate value of ``$connection``, displays without encoding

Added by Jim Pingle over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
PPP Interfaces
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

When obtaining PPP service provider plan information, the code in getserviceproviders.php does not test or validate the value of the passed $connection variable from user input. It then passes back the given value without encoding.

Since the page also allows access via GET, a user could potentially be vulnerable to XSS if they visit a specially crafted link while logged in.

The user must be logged in and have sufficient privileges to access getserviceproviders.php. The affected case requires a provider to only have one plan. One example is to set Country: "Armenia", Provider: "Karabakh Telecom"

Example link which will produce a JS alert when visited:

https://192.168.1.1/getserviceproviders.php?country=am&provider=Karabakh%20Telecom&plan=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert(document.domain)%3C/x:script%3E

While here, there are several other issues that could be addressed all at once:

  • The plan name is not being properly added in this specific case either, it's printing "Array" when it should be the name in the provider XML (KT_MARK in this example)
  • Lots of multi-level array access throughout the file which should really be rewritten to be PHP 8.x friendly

There is a related issue with the user/pass not being populated via JS, I made a separate issue for that, see #14544.

I have a commit ready to fix the validation and encoding as well as updating the PHP code. Will be pushed shortly.

Actions #1

Updated by Jim Pingle over 1 year ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Resolved

Problem can easily be reproduced on Plus 23.05.1 and CE 2.7.0, but cannot be reproduced on dev snapshots (CE or Plus). Fix appears to be working as expected.

Actions #4

Updated by Jim Pingle about 1 year ago

  • Target version changed from 2.8.0 to 2.7.1
Actions #5

Updated by Jim Pingle about 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF