Bug #16115
closed
Potential XSS in IPsec Phase 1
100%
Description
The page at vpn_ipsec_phase1.php does not perform sufficient validation on the interface value submitted by users when creating or editing a Phase 1 entry. This value is sent back to the user without encoding in the IPsec Phase 1 list on vpn_ipsec.php, which is a potential XSS vector.
Creating a new entry with the following data reproduces the problem condition:
{
"descr": "XSS+Test",
"iketype": "ikev2",
"protocol": "inet",
"interface": 'wan"><script>alert(\'XSS\')</script>',
"remotegw": "198.51.100.254",
"authentication_method": "pre_shared_key",
"mode": "main",
"myid_type": "myaddress",
"myid_data": "",
"peerid_type": "peeraddress",
"peerid_data": "",
"pskey": "14e1206aafd9bb66a9469c0ee1f570c60ccb283b7cca6192fecf78e1",
"ealgo_algo0": "aes",
"ealgo_keylen0": "128",
"halgo0": "sha256",
"dhgroup0": "14",
"prfalgo0": "sha256",
"lifetime": "28800",
"rekey_time": "",
"reauth_time": "",
"rand_time": "",
"startaction": "",
"closeaction": "",
"nat_traversal": "on",
"mobike": "off",
"ikeport": "",
"nattport": "",
"dpd_enable": "yes",
"dpd_delay": "10",
"dpd_maxfail": "5",
"ikeid": "",
"save": "Save"
}
Files
Updated by Jim Pingle about 2 months ago
- File poc-xss-ipsecp1-16115.py added
- Private changed from No to Yes
Attached is a small proof of concept script which can trigger the problem. Ensure there is no IPsec Phase 1 named "XSS Test" before running the script.
After running the script, an XSS alert will appear on vpn_ipsec_phase1.php.
Updated by Jim Pingle about 2 months ago
- File deleted (
poc-xss-ipsecp1-16115.py)
Updated by Jim Pingle about 2 months ago
- File poc-xss-ipsecp1-16115.py poc-xss-ipsecp1-16115.py added
Updated POC
Updated by Jim Pingle about 2 months ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 0ff75cd0b9fb14c04c94c3585831a9f669be0a5d.
Updated by Georgiy Tyutyunnik 26 days ago
tested, reproduced on 25.07.a.20250331.2135
fixed in 25.07.a.20250409.0600 and later