Project

General

Profile

Actions
Copy link

Feature #14696

closed

possible cross site scripting and URL manipulation shell access injection issue sgerror.php

Added by Jonathan Lee about 2 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
squidguard
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Hello fellow pfSense Redmine team,

I seem to have found an issue with sgerror.php allowing a user to adapt the php file via the url after the error has already been displayed.

Ref:
https://forum.netgate.com/topic/182279/fixed-squidguard-redirect-page-for-error-codes-issues-with-https-ssl-interception/5?_=1692397066310

While researching a way to resolve my errors not displaying within SSL intercept I discovered that if a user sets Squidguard to use EXT URL MOVE and set the url to your internal url that points to sgerror.php I can possibly do command injection. Can this be set to have input validation?

Files

Download all files
Screenshot 2023-08-18 at 3.23.56 PM.png (149 KB) Screenshot 2023-08-18 at 3.23.56 PM.png Jonathan Lee, 08/18/2023 10:27 PM
Screenshot 2023-08-18 at 3.08.12 PM.png (421 KB) Screenshot 2023-08-18 at 3.08.12 PM.png Jonathan Lee, 08/18/2023 10:27 PM
Screenshot 2023-08-18 at 4.34.26 PM.png (458 KB) Screenshot 2023-08-18 at 4.34.26 PM.png sgerror.php no longer used system redirects to google when blocked url is attempted Jonathan Lee, 08/18/2023 11:59 PM
Screenshot 2023-08-18 at 4.59.48 PM.png (200 KB) Screenshot 2023-08-18 at 4.59.48 PM.png sgerror.php still can be manually accessed within the www folder even with this disabled under squidguard Jonathan Lee, 08/19/2023 12:00 AM
Actions
Copy link

Also available in: Atom PDF