system_advanced_sysctl.php lacking input validation, output sanitation
system_advanced_sysctl.php has no input validation (in 2.2.x either). We should be safe to limit Tunable and Value fields to alphanumeric plus - . and _
Tunable and Value should both be required fields. No restrictions on description necessary.
It's also XSS-able, where 2.2.x isn't. For instance, throw
into any of the fields.
#2 Updated by Chris Buechler almost 5 years ago
- Status changed from Feedback to Confirmed
- Assignee changed from Chris Buechler to Steve Beaver
- Priority changed from High to Normal
The XSS is fixed, thanks! It's a bit overzealous on the htmlentities somewhere it appears. For instance, save the
as your description, and your config ends up with:
Then you get exactly that upon editing the entry. That'll mess up a variety of usable descriptions.