Project

General

Profile

Actions

Bug #15224

closed

``services_acb_settings.php`` does not fully validate value of ``frequency``, uses value without encoding

Added by Jim Pingle 11 months ago. Updated 8 months ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
Auto Configuration Backup
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.03
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The value supplied by the user for the frequency parameter on services_acb_settings.php is not fully validated, is stored in config.xml, and is then used in JavaScript without encoding.

This could lead to a potential stored XSS vulnerability where an attacker could make the change and then have another administrator visit the page at a later time.

Due to the location where the variable is used in JavaScript, the contents of the submitted string must break out of its current location using a value such as ")); alert(1);//

The user must be logged in and have sufficient privileges to access services_acb_settings.php and make changes to the configuration.

To me, I already have a fix tested and ready.

Actions #1

Updated by Jim Pingle 11 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Christopher Cope 10 months ago

  • Status changed from Feedback to Resolved

I can reproduce this on

23.09.1-RELEASE (amd64)
built on Wed Dec 6 20:22:00 UTC 2023
FreeBSD 14.0-CURRENT

Testing on

24.03-DEVELOPMENT (amd64)
built on Thu Feb 15 6:00:00 UTC 2024
FreeBSD 15.0-CURRENT

and I can no longer trigger it. Marking resolved.

Actions #4

Updated by Jim Pingle 8 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF