Project

General

Profile

Actions
Copy link

Bug #16763

closed

Potential Stored XSS in ``diag_arp.php`` when using ISC DHCP

Added by Jim Pingle 7 days ago. Updated 1 day ago.

Status:
Resolved
Priority:
High
Assignee:
Jim Pingle
Category:
Diagnostics
Target version:
2.9.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
26.07
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

There is a potential stored XSS possible due to the way diag_arp.php prints hostnames retrieved from the DHCP lease database when using the ISC DHCP backend.

A malicious DHCP client on a local network connected to an interface with ISC DHCP service active can send a specially-crafted hostname containing an XSS payload. The ISC DHCP daemon will accept that hostname and store it in the leases database. The diag_arp.php page reads the DHCP lease database when resolving hostnames to display on the page, and it prints those hostnames without encoding.

This does not affect the Kea DHCP backend as it properly cleans up the hostname of any invalid characters before storing the value, rendering it inert.

Actions
Copy link
 #1

Updated by Jim Pingle 7 days ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Jim Pingle 7 days ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:228b2a0e66d97abcae2dd5b8c2c91e76620bea20.

Actions
Copy link
 #4

Updated by Jim Pingle 1 day ago

  • Private changed from Yes to No
Actions
Copy link
 #5

Updated by Jim Pingle 1 day ago

  • Status changed from Feedback to Resolved

Patch is available in the Recommended Patches section of the latest System Patches Package version.

Actions
Copy link

Also available in: Atom PDF