Actions
Bug #16114
closed
Potential XSS in Firewall Schedules
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
25.03
Release Notes:
Default
Affected Version:
Affected Architecture:
Description
The page at firewall_schedule_edit.php does not perform sufficient validation on the schedule values submitted by users. This value is sent back to the user on firewall_schedule.php without encoding, which is a potential XSS vector. Furthermore, the value may also cause a PHP error on firewall_schedule_edit.php which prevents further edits from being made to schedules.
Creating a new entry with the following data reproduces the problem condition:
{
"name": "XSS_Test_Sched",
"descr": "XSS+Test",
"monthsel": "3",
"starttimehour": "0",
"starttimemin": "00",
"stoptimehour": "23",
"stoptimemin": "59",
"timerangedescr": "",
"tempFriendlyTime0": "Sun",
"starttime0": "0:00",
"stoptime0": "23:59",
"timedescr0": "",
"schedule0": "w11p3-m3d12\"><script>alert('XSS')</script>",
"marker": "",
"save": "Save"
}
Attempting to edit the problematic entry will result in a PHP error:
PHP Fatal error: Uncaught TypeError: mktime(): Argument #5 ($day) must be of type ?int, string given in /usr/local/www/firewall_schedule_edit.php:494
Stack trace:
#0 /usr/local/www/firewall_schedule_edit.php(494): mktime(0, 0, 0, '3', '12"><572025-03-...', '2025')
#1 {main}
thrown in /usr/local/www/firewall_schedule_edit.php on line 494
Files
Updated by 
Updated by
Actions