Project

General

Profile

Actions

Bug #6154

closed

Notices are displaying raw html (interpreted by the browser), potential XSS vector

Added by Jim Pingle over 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Category:
Web Interface
Target version:
Start date:
04/14/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3
Affected Architecture:

Description

The text of a notice is displayed as passed, presumably to allow for links in the notice text. At least one place that files notices -- the AutoConfigBackup package -- is passing through raw HTML from a server response, which breaks the display and is a potential XSS vector.

Fixing ACB may be good enough, though it still seems a bit dangerous, maybe only allow certain tags like "a" to show through, and strip out any script/onload/etc? Needs some thought.

Actions #1

Updated by Anonymous over 8 years ago

It seems like in addition to fixing ACB, it would be good to sanitize notices as you suggest. A sanitiize_text() function might be useful elsewhere and could simple zap strings such as script, onload, onclick, onchange etc.

Actions #2

Updated by Anonymous over 8 years ago

  • Priority changed from High to Normal

Lowered priority since JimP has taken care of the immediate problem.

Actions #3

Updated by Chris Buechler over 8 years ago

ACB is good now. But head.inc probably should sanitize $id and $notice unconditionally. Any reason we couldn't always run those two through htmlspecialchars? I don't see anything using links within $notice, and even if they are that's probably not a great idea. That'd prevent notices from breaking the GUI in addition to security benefits.

Actions #4

Updated by Jim Pingle over 8 years ago

Changing ACB directly was the quickest way to get a fix for everyone without updating pfSense itself, but looking through the source at uses of file_notice in deeper detail, doing it for all notices may be fine. Initially I thought I saw some place that relied on using HTML inside the message, forming a link or similar, but it looks like maybe all of that has shifted to using the $url parameter when filing a notice.

So we could probably do with an htmlspecialchars() on $notice['notice'] at source:src/usr/local/www/head.inc#L671 and for ACB on RELENG_2_3 we could revert or change the htmlspecialchars() it does to avoid having it done twice.

As for id, as long as htmlspecialchars() is run only on $notice['id'] at source:src/usr/local/www/head.inc#L668 that should be fine.

I suppose it could also be done for both in source:src/etc/inc/notices.inc#L93 and source:src/etc/inc/notices.inc#L94 as well when filing the notice rather than on display.

Actions #5

Updated by Chris Buechler over 8 years ago

I'd rather store it safely, as there's less chance it'll become a security issue in our code, or outside of it where people are shipping notices elsewhere. For instance, discussed here.
https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/

Pushed change to run all 5 through htmlentities before storing. That doesn't appear to hurt any current usage of notices.

Actions #6

Updated by Chris Buechler over 8 years ago

  • Status changed from Assigned to Feedback
  • Assignee changed from Anonymous to Chris Buechler

added sanitation of the output in head.inc as well

Actions #7

Updated by Chris Buechler over 8 years ago

  • Status changed from Feedback to Resolved

fixed

Actions #8

Updated by Jim Pingle almost 8 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF