Bug #8269: Passing an invalid RRD file to rrd_fetch_json.php via the left= parameter in POST prints the supplied name to the user without encoding - pfSense Packages - pfSense bugtracker

Actions

Copy link

Bug #8269

closed

Passing an invalid RRD file to rrd_fetch_json.php via the left= parameter in POST prints the supplied name to the user without encoding

Added by Jim Pingle almost 7 years ago. Updated over 6 years ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

Status_Monitoring

Target version:

pfSense - 2.4.3

Start date:

01/10/2018

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Affected Version:

2.4.x

Affected Plus Version:

Affected Architecture:

All

Description

Passing an invalid RRD file to rrd_fetch_json.php via the left= parameter in POST prints the supplied name without encoding, leading to a potential XSS vector.

Two potential issues here:

1. rrd_fetch_json.php needs to check if a file exists and handle that case better, either skipping actions or returning a generic error without supplying the full output
2. status_monitoring.php needs to not print the error messages exactly as they are sent from rrd_fetch_json.php so that HTML or other scripts cannot be passed back via error messages.

To me, I have a fix.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense » pfSense Packages

Custom queries

Bug #8269

Passing an invalid RRD file to rrd_fetch_json.php via the left= parameter in POST prints the supplied name to the user without encoding

Updated by Jim Pingle almost 7 years ago

Updated by Jim Pingle almost 7 years ago

Updated by Jim Pingle almost 7 years ago

Updated by Jim Pingle over 6 years ago