Project

General

Profile

Actions
Copy link

Bug #16115

closed

Potential XSS in IPsec Phase 1

Added by Jim Pingle about 2 months ago. Updated 4 days ago.

Status:
Resolved
Priority:
Very High
Assignee:
Jim Pingle
Category:
IPsec
Target version:
2.8.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
25.03
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The page at vpn_ipsec_phase1.php does not perform sufficient validation on the interface value submitted by users when creating or editing a Phase 1 entry. This value is sent back to the user without encoding in the IPsec Phase 1 list on vpn_ipsec.php, which is a potential XSS vector.

Creating a new entry with the following data reproduces the problem condition:

{
    "descr": "XSS+Test",
    "iketype": "ikev2",
    "protocol": "inet",
    "interface": 'wan"><script>alert(\'XSS\')</script>',
    "remotegw": "198.51.100.254",
    "authentication_method": "pre_shared_key",
    "mode": "main",
    "myid_type": "myaddress",
    "myid_data": "",
    "peerid_type": "peeraddress",
    "peerid_data": "",
    "pskey": "14e1206aafd9bb66a9469c0ee1f570c60ccb283b7cca6192fecf78e1",
    "ealgo_algo0": "aes",
    "ealgo_keylen0": "128",
    "halgo0": "sha256",
    "dhgroup0": "14",
    "prfalgo0": "sha256",
    "lifetime": "28800",
    "rekey_time": "",
    "reauth_time": "",
    "rand_time": "",
    "startaction": "",
    "closeaction": "",
    "nat_traversal": "on",
    "mobike": "off",
    "ikeport": "",
    "nattport": "",
    "dpd_enable": "yes",
    "dpd_delay": "10",
    "dpd_maxfail": "5",
    "ikeid": "",
    "save": "Save" 
}

Files

poc-xss-ipsecp1-16115.py (2.05 KB) poc-xss-ipsecp1-16115.py Jim Pingle, 04/01/2025 06:29 PM
Actions
Copy link

Also available in: Atom PDF