Project

General

Profile

Actions

Bug #5459

closed

system_advanced_sysctl.php lacking input validation, output sanitation

Added by Steve Beaver about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Target version:
Start date:
11/16/2015
Due date:
% Done:

0%

Estimated time:

Description

system_advanced_sysctl.php has no input validation (in 2.2.x either). We should be safe to limit Tunable and Value fields to alphanumeric plus - . and _

Tunable and Value should both be required fields. No restrictions on description necessary.

It's also XSS-able, where 2.2.x isn't. For instance, throw

'><script>alert("hi");</script>

into any of the fields.

Actions

Also available in: Atom PDF