Bug #14547
closed``getserviceproviders.php`` does not always validate value of ``$connection``, displays without encoding
100%
Description
When obtaining PPP service provider plan information, the code in getserviceproviders.php
does not test or validate the value of the passed $connection
variable from user input. It then passes back the given value without encoding.
Since the page also allows access via GET, a user could potentially be vulnerable to XSS if they visit a specially crafted link while logged in.
The user must be logged in and have sufficient privileges to access getserviceproviders.php
. The affected case requires a provider to only have one plan. One example is to set Country: "Armenia", Provider: "Karabakh Telecom"
Example link which will produce a JS alert when visited:
https://192.168.1.1/getserviceproviders.php?country=am&provider=Karabakh%20Telecom&plan=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert(document.domain)%3C/x:script%3E
While here, there are several other issues that could be addressed all at once:
- The plan name is not being properly added in this specific case either, it's printing "Array" when it should be the name in the provider XML (
KT_MARK
in this example) - Lots of multi-level array access throughout the file which should really be rewritten to be PHP 8.x friendly
There is a related issue with the user/pass not being populated via JS, I made a separate issue for that, see #14544.
I have a commit ready to fix the validation and encoding as well as updating the PHP code. Will be pushed shortly.
Updated by Jim Pingle over 1 year ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 543dc9253d6ab0e755ee043da2217d996a28ab5e.
Updated by Jim Pingle over 1 year ago
- Status changed from Feedback to Resolved
Problem can easily be reproduced on Plus 23.05.1 and CE 2.7.0, but cannot be reproduced on dev snapshots (CE or Plus). Fix appears to be working as expected.
Updated by Jim Pingle about 1 year ago
- Target version changed from 2.8.0 to 2.7.1