Project

General

Profile

Actions
Copy link

Bug #15525

closed

File browser on ``diag_edit.php`` does not encode directory names before display

Added by Jim Pingle 6 months ago. Updated 8 days ago.

Status:
Resolved
Priority:
High
Assignee:
Jim Pingle
Category:
Diagnostics
Target version:
2.8.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The file browser on diag_edit.php does not encode directory names before display

Similar to #13262 which fixed problematic filenames, but directories can also trigger a similar issue both in the file/directory list and in the breadcrumb/directory path line.

Creating a directory named \'\>\"\>\<img\ src=q\ onerror=alert\(\'xss\'\)\;\> and then browsing to it will produce a JS alert.

A user who can create directories with arbitrary names can break rendering of the page though exploit potential is minimized by the fact that `/` is not valid in directory names so tags cannot be closed.

Actions
Copy link
 #2

Updated by Jim Pingle 6 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #3

Updated by Georgiy Tyutyunnik 6 months ago

tested on:
24.03-RELEASE (amd64)
built on Wed Apr 24 17:38:00 UTC 2024
FreeBSD 15.0-CURRENT
patch fixes the issue

Actions
Copy link
 #4

Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #5

Updated by Jim Pingle about 2 months ago

  • Plus Target Version changed from 24.08 to 24.11
Actions
Copy link
 #6

Updated by Jim Pingle 8 days ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF