Bug #15778
closed
Interface group members are not validated on load/save on ``interfaces_groups_edit.php``, and are printed without encoding on ``interfaces_groups.php``
100%
Description
When submitting interface group members on interfaces_groups_edit.php the member list is not validated before it is then stored in the configuration. The group member list is then printed without encoding on interfaces_groups.php, leading to a potential stored XSS.
Original report URL: https://github.com/physicszq/web_issue/blob/main/pfsense/interfaces_groups_edit_file.md_xss.md
Updated by Jim Pingle about 1 month ago
- Subject changed from interfaces_groups_edit.php exists xss to Interface group members are not validated on load/save on ``interfaces_groups_edit.php``, and are printed without encoding on ``interfaces_groups.php``
- Description updated (diff)
- Status changed from New to Confirmed
- Assignee set to Jim Pingle
- Priority changed from Normal to High
- Target version set to 2.8.0
- Plus Target Version set to 24.11
In the future, please submit security concerns privately via the process documented at https://www.netgate.com/security
Updated subject/description to match observed behavior. Keeping public for now since it was submitted publicly.
I was able to confirm a problem here but the screenshot at the linked URL is weird in that the URL and XSS dialog in the screenshot are from interfaces_groups.php but that does not match the rest of the content in the screenshot background which is from interfaces_groups_edit.php. Might be a browser quirk or how the screenshot was created, but it's still odd. There isn't any way I could find that resulted in an XSS dialog on interfaces_groups_edit.php directly with the error message shown in the screenshot about the group already existing. The XSS appeared on interfaces_groups.php where it prints the member list, which matches the URL in the screenshot.
Updated by Jim Pingle about 1 month ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 9a843098cf3f28c27c3e615c4c788c84bd29df6f.
Updated by Jim Pingle 10 days ago
- Status changed from Feedback to Closed
Seems to be working properly on save and load in current builds.