Actions
Bug #16935
closedPotential Stored XSS in siproxd package file ``siproxd_registered_phones.php`` from crafted registration data
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
Description
If a malicious user can register with siproxd using a specially-crafted registration URI, that string can be printed back to the user without encoding on siproxd_registered_phones.php.
For example:
Contact: <sip:<svg/onload="alert(String.fromCharCode(88,83,83))">@198.51.100.34:5088>;expires=600
An easy way to test is to copy the following data over /var/siproxd/siproxd_registrations and refresh the page immediately:
****:1:1783365905 sip:<svg/onload="alert(String.fromCharCode(88,83,83))" sip:user@10.34.0.10:5061 sip:user@198.51.100.34:5061
Reported by: @lujiefsi
Updated by Jim Pingle 9 days ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Fixed in commit ea2a9f58d8b467e36e97d576a64ae5b0b24846d8
New package builds are available now for Plus 26.03.1 and CE 2.8.1.
Updated by Georgiy Tyutyunnik 6 days ago
- Status changed from Feedback to Resolved
reproduced in earlier versions, can't reproduce in
26.03.1-RELEASE (amd64)
built on Wed May 20 15:19:00 UTC 2026
FreeBSD 16.0-CURRENT
fresh install of the package:
siproxd 1.1.8_1
Actions