Project

General

Profile

Actions

Bug #14548

closed

``status_logs_filter_dynamic.php`` does not encode value of ``interfacefilter`` in raw mode

Added by Jim Pingle 10 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
System Logs
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

When accessing the dynamic firewall log view via status_logs_filter_dynamic.php in RAW mode (filtersubmit=1) the value supplied by the user in the interface parameter is used later internally through the interfacefilter parameter to fetch new updates via AJAX. When rendering the page this value is placed directly in the page without encoding inside a block of JavaScript.

Since the page also allows submitting these parameters via GET, a user could potentially be vulnerable to XSS if they visit a specially crafted link.

The user must be logged in and have sufficient privileges to access status_logs_filter_dynamic.php.

Example link which will produce a JS alert when visited:

https://192.168.1.1/status_logs_filter_dynamic.php?interface=foo%22;alert(document.domain)%20//%20&filtersubmit=1
Actions #1

Updated by Jim Pingle 10 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Christopher Cope 9 months ago

  • Status changed from Feedback to Resolved

Tested on

23.09-DEVELOPMENT (amd64)
built on Tue Jul 11 06:04:51 UTC 2023
FreeBSD 14.0-CURRENT

It no longer presents an alert with the example URL.

Actions #4

Updated by Jim Pingle 6 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions #5

Updated by Jim Pingle 6 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF