Project

General

Profile

Bug #5459

system_advanced_sysctl.php lacking input validation, output sanitation

Added by Steve Beaver over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Target version:
Start date:
11/16/2015
Due date:
% Done:

0%

Estimated time:

Description

system_advanced_sysctl.php has no input validation (in 2.2.x either). We should be safe to limit Tunable and Value fields to alphanumeric plus - . and _

Tunable and Value should both be required fields. No restrictions on description necessary.

It's also XSS-able, where 2.2.x isn't. For instance, throw

'><script>alert("hi");</script>

into any of the fields.

History

#1 Updated by Steve Beaver over 3 years ago

  • Status changed from Assigned to Feedback
  • Assignee changed from Steve Beaver to Chris Buechler

Inputs validated
Error messages provided
htmlspecialchars() protection added where required

#2 Updated by Chris Buechler over 3 years ago

  • Status changed from Feedback to Confirmed
  • Assignee changed from Chris Buechler to Steve Beaver
  • Priority changed from High to Normal

The XSS is fixed, thanks! It's a bit overzealous on the htmlentities somewhere it appears. For instance, save the

'><script>alert("hi");</script>

as your description, and your config ends up with:
 <descr><![CDATA['&amp;gt;&amp;lt;script&amp;gt;alert(&am
p;quot;hi&amp;quot;);&amp;lt;/script&amp;gt;]]></descr> 

Then you get exactly that upon editing the entry. That'll mess up a variety of usable descriptions.

#3 Updated by Steve Beaver over 3 years ago

  • Status changed from Confirmed to Feedback
  • Assignee changed from Steve Beaver to Chris Buechler

Kinder, gentler version now saves: "'>alert("hi");" by using strip_tags rather than htmlspecialchars

#4 Updated by Chris Buechler over 3 years ago

  • Status changed from Feedback to Resolved

looks good, thanks!

Also available in: Atom PDF