Bug #5201: Stored XSS on authentication services - pfSense - pfSense bugtracker

Bug #5201

Stored XSS on authentication services

Added by Fernando Munoz almost 5 years ago. Updated almost 5 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Web Interface

Target version:

2.2.5

Start date:

09/24/2015

Due date:

% Done:

Estimated time:

Affected Version:

All

Affected Architecture:

Description

To reproduce the cross-site scripting:

1. Go to https://localhost:9090/system_authservers.php?act=new

- on field Descriptive name:  ">&lt;/option&gt;&lt;/select&gt;&lt;img src=x onerror=alert(1)&gt;
 - fill other required fields
 - save

2. Go to https://localhost:9090/diag_authentication.php

Alert appears

XSS2.png (93.6 KB) XSS2.png		Fernando Munoz, 09/24/2015 10:27 AM
XSS1.png (110 KB) XSS1.png		Fernando Munoz, 09/24/2015 10:28 AM

History

#1 Updated by Fernando Munoz almost 5 years ago

File XSS1.png XSS1.png added

Seems like encoding on this bugtracker breaks the payload, I'm attaching an image that shows what to type.

#2 Updated by Jim Pingle almost 5 years ago

Status changed from New to Feedback

Please re-test on a 2.2.5 snapshot from https://snapshots.pfsense.org/

I believe we have already fixed this after 2.2.4, notably with 64c50ecd239a61b42e9179be486f3792c03cb0b8

#3 Updated by Chris Buechler almost 5 years ago

Target version set to 2.2.5

#4 Updated by Chris Buechler almost 5 years ago

Category set to Web Interface
Status changed from Feedback to Resolved
Affected Version set to All

confirmed fixed by what JimP linked.

Also available in: Atom PDF

Project

General

Profile

pfSense

Issues

Custom queries