Project

General

Profile

Actions
Copy link

Bug #15778

open

Interface group members are not validated on load/save on ``interfaces_groups_edit.php``, and are printed without encoding on ``interfaces_groups.php``

Added by zhao mouren 14 days ago. Updated 11 days ago.

Status:
Feedback
Priority:
High
Assignee:
Jim Pingle
Category:
Interfaces
Target version:
2.8.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
All
Affected Architecture:

Description

When submitting interface group members on interfaces_groups_edit.php the member list is not validated before it is then stored in the configuration. The group member list is then printed without encoding on interfaces_groups.php, leading to a potential stored XSS.

Original report URL: https://github.com/physicszq/web_issue/blob/main/pfsense/interfaces_groups_edit_file.md_xss.md

Actions
Copy link
 #1

Updated by Jim Pingle 11 days ago

  • Subject changed from interfaces_groups_edit.php exists xss to Interface group members are not validated on load/save on ``interfaces_groups_edit.php``, and are printed without encoding on ``interfaces_groups.php``
  • Description updated (diff)
  • Status changed from New to Confirmed
  • Assignee set to Jim Pingle
  • Priority changed from Normal to High
  • Target version set to 2.8.0
  • Plus Target Version set to 24.11

In the future, please submit security concerns privately via the process documented at https://www.netgate.com/security

Updated subject/description to match observed behavior. Keeping public for now since it was submitted publicly.

I was able to confirm a problem here but the screenshot at the linked URL is weird in that the URL and XSS dialog in the screenshot are from interfaces_groups.php but that does not match the rest of the content in the screenshot background which is from interfaces_groups_edit.php. Might be a browser quirk or how the screenshot was created, but it's still odd. There isn't any way I could find that resulted in an XSS dialog on interfaces_groups_edit.php directly with the error message shown in the screenshot about the group already existing. The XSS appeared on interfaces_groups.php where it prints the member list, which matches the URL in the screenshot.

Actions
Copy link
 #2

Updated by Jim Pingle 11 days ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF