pfSense

When obtaining PPP service provider plan information, the code in getserviceproviders.php does not test or validate the value of the passed $connection variable from user input. It then passes back the given value without encoding.

Since the page also allows access via GET, a user could potentially be vulnerable to XSS if they visit a specially crafted link while logged in.

The user must be logged in and have sufficient privileges to access getserviceproviders.php. The affected case requires a provider to only have one plan. One example is to set Country: "Armenia", Provider: "Karabakh Telecom"

Example link which will produce a JS alert when visited:

https://192.168.1.1/getserviceproviders.php?country=am&provider=Karabakh%20Telecom&plan=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert(document.domain)%3C/x:script%3E

While here, there are several other issues that could be addressed all at once:

• The plan name is not being properly added in this specific case either, it's printing "Array" when it should be the name in the provider XML (KT_MARK in this example)
• Lots of multi-level array access throughout the file which should really be rewritten to be PHP 8.x friendly

There is a related issue with the user/pass not being populated via JS, I made a separate issue for that, see #14544.

I have a commit ready to fix the validation and encoding as well as updating the PHP code. Will be pushed shortly.