Actions
Bug #16935
closedPotential Stored XSS in siproxd package file ``siproxd_registered_phones.php`` from crafted registration data
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
Description
If a malicious user can register with siproxd using a specially-crafted registration URI, that string can be printed back to the user without encoding on siproxd_registered_phones.php.
For example:
Contact: <sip:<svg/onload="alert(String.fromCharCode(88,83,83))">@198.51.100.34:5088>;expires=600
An easy way to test is to copy the following data over /var/siproxd/siproxd_registrations and refresh the page immediately:
****:1:1783365905 sip:<svg/onload="alert(String.fromCharCode(88,83,83))" sip:user@10.34.0.10:5061 sip:user@198.51.100.34:5061
Reported by: @lujiefsi
Actions