Project

General

Profile

Actions

Bug #16935

closed

Potential Stored XSS in siproxd package file ``siproxd_registered_phones.php`` from crafted registration data

Added by Jim Pingle 9 days ago. Updated 1 day ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
siproxd
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

If a malicious user can register with siproxd using a specially-crafted registration URI, that string can be printed back to the user without encoding on siproxd_registered_phones.php.

For example:

Contact: <sip:<svg/onload="alert(String.fromCharCode(88,83,83))">@198.51.100.34:5088>;expires=600

An easy way to test is to copy the following data over /var/siproxd/siproxd_registrations and refresh the page immediately:

****:1:1783365905
sip:<svg/onload="alert(String.fromCharCode(88,83,83))" 
sip:user@10.34.0.10:5061
sip:user@198.51.100.34:5061

Reported by: @lujiefsi

Actions #1

Updated by Jim Pingle 9 days ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

Fixed in commit ea2a9f58d8b467e36e97d576a64ae5b0b24846d8

New package builds are available now for Plus 26.03.1 and CE 2.8.1.

Actions #2

Updated by Georgiy Tyutyunnik 6 days ago

  • Status changed from Feedback to Resolved

reproduced in earlier versions, can't reproduce in
26.03.1-RELEASE (amd64)
built on Wed May 20 15:19:00 UTC 2026
FreeBSD 16.0-CURRENT

fresh install of the package:
siproxd 1.1.8_1

Actions #3

Updated by Jim Pingle 1 day ago

  • Description updated (diff)
Actions #4

Updated by Jim Pingle 1 day ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF