Passing an invalid RRD file to rrd_fetch_json.php via the left= parameter in POST prints the supplied name to the user without encoding
Passing an invalid RRD file to rrd_fetch_json.php via the left= parameter in POST prints the supplied name without encoding, leading to a potential XSS vector.
Two potential issues here:
1. rrd_fetch_json.php needs to check if a file exists and handle that case better, either skipping actions or returning a generic error without supplying the full output
2. status_monitoring.php needs to not print the error messages exactly as they are sent from rrd_fetch_json.php so that HTML or other scripts cannot be passed back via error messages.
To me, I have a fix.
#1 Updated by Jim Pingle 9 months ago
- Status changed from Confirmed to Feedback
Fixed pushed to 2.4.x and 2.3.x
devel: commit https://github.com/pfsense/FreeBSD-ports/commit/795d66877be73bd2d111ccc79f9ad0f5a8467de7 - pfSense-Status_Monitoring version 1.7.6
RELENG_2_4_2: commit https://github.com/pfsense/FreeBSD-ports/commit/350da5e82523165e11344f98b7566c4233b5338b - pfSense-Status_Monitoring version 1.7.6
RELENG_2_3: commit https://github.com/pfsense/FreeBSD-ports/commit/054317c3e0188b2006d6bd2fb1c5998405e53ec1 and https://github.com/pfsense/FreeBSD-ports/commit/833d2d2ef2bca9109624fcce03ef7d4e265ca86e - pfSense-Status_Monitoring version 1.6.5
RELENG_2_3_5: commit https://github.com/pfsense/FreeBSD-ports/commit/40e2e568226f8e72d5b359575fb38d90a7e1a431 and https://github.com/pfsense/FreeBSD-ports/commit/9d6359520574022365a9294bf2bfa47a2a2d0c20 - pfSense-Status_Monitoring version 1.6.5