Bug #8300: diag_system_activity.php: Potential XSS due to encoding of process output - pfSense - pfSense bugtracker

Actions

Copy link

Bug #8300

closed

diag_system_activity.php: Potential XSS due to encoding of process output

Added by Jim Pingle almost 7 years ago. Updated over 6 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

Web Interface

Target version:

2.4.3

Start date:

01/29/2018

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

All

Description

The top command output is printed to the user without encoding, so if a malicious process is started which contains HTML in its command line or process description then it could trigger an XSS in an administrator's browser.

In order to take advantage of this issue, the user must already be able to execute arbitrary processes, which is a very high barrier. Someone in a position to do this could do far worse things to a system than trigger an XSS.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #8300

diag_system_activity.php: Potential XSS due to encoding of process output

Updated by Jim Pingle almost 7 years ago

Updated by Anonymous over 6 years ago

Updated by Jim Pingle over 6 years ago

Updated by Jim Pingle over 6 years ago