Bug #3461: XSS - package system - pfSense - pfSense bugtracker

Bug #3461

XSS - package system

Added by Fernando Munoz about 7 years ago. Updated almost 7 years ago.

Status:

Resolved

Priority:

High

Assignee:

Category:

Package System

Target version:

2.1.1

Start date:

02/17/2014

Due date:

% Done:

100%

Estimated time:

Affected Version:

All

Affected Architecture:

Description

pkg parameter isn't encoded properly, it's possible to inject javascript code:

https://ip/pkg_mgr_install.php?mode=delete&pkg=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E

Associated revisions

Revision 248b0124 (diff)
Added by Ermal Luçi about 7 years ago

Ticket #3461. Protect output to browser by using htmlspecialchars.

Revision 82921e73 (diff)
Added by Ermal Luçi about 7 years ago

Fixes #3461. Remove any special char that can lead to shell/XSS compromises from submitted input.

Revision 6766e477 (diff)
Added by Ermal Luçi about 7 years ago

Fixes #3461. Remove any special char that can lead to shell/XSS compromises from submitted input.

History

#1 Updated by Ermal Luçi about 7 years ago

Target version set to 2.1.1
Affected Version set to All

#2 Updated by Ermal Luçi about 7 years ago

Status changed from New to Feedback
% Done changed from 0 to 100

Applied in changeset 82921e738bb9d1a784733152822a9e976767ce3a.

#3 Updated by Ermal Luçi about 7 years ago

Applied in changeset 6766e4771ef6582212044ab8938f4757776618a4.

#4 Updated by Renato Botelho almost 7 years ago

Status changed from Feedback to Resolved

Also available in: Atom PDF

Project

General

Profile

pfSense

Issues

Custom queries