Project

General

Profile

Actions

Bug #7652

closed

diag_tables.php: 'type' parameter can lead to XSS

Added by Jim Pingle over 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Web Interface
Target version:
Start date:
06/16/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Two problems with diag_tables.php that together can lead to XSS via the type (table name) parameter:

  • Lack of input validation allows the 'type' parameter to be submitted with an invalid value (table that does not exist) which is then still used in functions on the page
  • When an invalid table name contains code that could trigger an XSS, it is run when the type parameter is resubmitted via AJAX to load table content.

Example:

/diag_tables.php?type=%27}});});});alert(%27XSS%27);%20console.log(function(){%20console.log(function(){%20console.log({%20c:{%27a%27:%27

Actions

Also available in: Atom PDF