Bug #15844
closed
Dashboard ``widgetkey`` values are not validated on save or load, can lead to configuration corruption or other problems
100%
Description
Many dashboard widgets allow multiple instances and use a "widgetkey" parameter to distinguish between these instances. The widget keys should be in the form of <widget internal name>-<instance id>. However, this format is not validated when submitted from clients. Clients can populate that variable with bad data, which can result in a corrupted configuration and it could potentially be an XSS vector.
For example, if a client submits a widgetkey value containing XML, such as the following, it can result in the configuration becoming unreadable, which prevents the GUI from being used and may also prevent the system from booting:
widgetkey=test/><log-0><filterlogentriesinterval>5;alert("XSS")</filterlogentriesinterval></log-0><!--
At a minimum, the submitted widget key should be validated to be in the correct form and tested against the current list of widgets on the dashboard. If the latter part would result in settings being lost for removed widgets, then it may be enough to test the key against the list of possible widgets and that the ID is a positive integer.
Files
Updated by 
Updated by