Project

General

Profile

Actions

Bug #16935

closed

Potential Stored XSS in siproxd package file ``siproxd_registered_phones.php`` from crafted registration data

Added by Jim Pingle 9 days ago. Updated 1 day ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
siproxd
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

If a malicious user can register with siproxd using a specially-crafted registration URI, that string can be printed back to the user without encoding on siproxd_registered_phones.php.

For example:

Contact: <sip:<svg/onload="alert(String.fromCharCode(88,83,83))">@198.51.100.34:5088>;expires=600

An easy way to test is to copy the following data over /var/siproxd/siproxd_registrations and refresh the page immediately:

****:1:1783365905
sip:<svg/onload="alert(String.fromCharCode(88,83,83))" 
sip:user@10.34.0.10:5061
sip:user@198.51.100.34:5061

Reported by: @lujiefsi

Actions

Also available in: Atom PDF