Project

General

Profile

Bug #7497

status_dhcp_leases.php: DHCP Lease status does not encode hostname and some other data from leases file, leading to a potential XSS

Added by Jim Pingle almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
DHCP Server
Target version:
Start date:
04/26/2017
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.3.x
Affected Architecture:
All

Description

A client can send a hostname containing <script> tags and the DHCP daemon will accept it and add it to the leases file. This hostname is then output as-is by the lease status view in the list and then again in action icons for the lease, leading to script execution on the client (for example).

Only affects IPv4 DHCP status, not IPv6

Confirmed on 2.4 and 2.3.x.

To me, I have a fix pending.

Associated revisions

Revision 49a6769d (diff)
Added by Jim Pingle almost 2 years ago

Encode hostname and other output for DHCP lease status. Fixes #7497

Revision a260eda5 (diff)
Added by Jim Pingle almost 2 years ago

Encode hostname and other output for DHCP lease status. Fixes #7497

Revision 9e721fea (diff)
Added by Jim Pingle almost 2 years ago

Encode hostname and other output for DHCP lease status. Fixes #7497

(cherry picked from commit a260eda55905607e9adfd5d7c3fd779b115459d5)

History

#1 Updated by Jim Pingle almost 2 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved

Seems to be solid now.

#3 Updated by Jim Pingle almost 2 years ago

  • Private changed from Yes to No

Also available in: Atom PDF