Project

General

Profile

Bug #8300

diag_system_activity.php: Potential XSS due to encoding of process output

Added by Jim Pingle 4 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
01/29/2018
Due date:
% Done:

100%

Affected Version:
All
Affected Architecture:
All

Description

The top command output is printed to the user without encoding, so if a malicious process is started which contains HTML in its command line or process description then it could trigger an XSS in an administrator's browser.

In order to take advantage of this issue, the user must already be able to execute arbitrary processes, which is a very high barrier. Someone in a position to do this could do far worse things to a system than trigger an XSS.

Associated revisions

Revision c083e1e4
Added by Jim Pingle 4 months ago

Fix a potential encoding issue in diag_system_activity.php. Fixes #8300

Revision bd866431
Added by Jim Pingle 4 months ago

Fix a potential encoding issue in diag_system_activity.php. Fixes #8300

(cherry picked from commit c083e1e49af4902d15173d412feebd8b86a616ee)

Revision 51992270
Added by Jim Pingle 4 months ago

Fix a potential encoding issue in diag_system_activity.php. Fixes #8300

(cherry picked from commit c083e1e49af4902d15173d412feebd8b86a616ee)

Revision 834ac053
Added by Jim Pingle 4 months ago

Fix a potential encoding issue in diag_system_activity.php. Fixes #8300

(cherry picked from commit c083e1e49af4902d15173d412feebd8b86a616ee)

History

#1 Updated by Jim Pingle 4 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#2 Updated by James Dekker 3 months ago

Running

grep -r '<script>alert(1)</script>' /

from shell on 2.4.2 generated an alert on Diag > System Activity.

But on pfSense-netgate-memstick-ADI-2.4.3-DEVELOPMENT-amd64-20180307-0900 no alert was generated (the issue appears fixed).

#3 Updated by Jim Pingle 3 months ago

  • Status changed from Feedback to Resolved

#4 Updated by Jim Pingle about 2 months ago

  • Private changed from Yes to No

Also available in: Atom PDF