Bug #8300
closed
diag_system_activity.php: Potential XSS due to encoding of process output
100%
Description
The top command output is printed to the user without encoding, so if a malicious process is started which contains HTML in its command line or process description then it could trigger an XSS in an administrator's browser.
In order to take advantage of this issue, the user must already be able to execute arbitrary processes, which is a very high barrier. Someone in a position to do this could do far worse things to a system than trigger an XSS.
Updated by Jim Pingle almost 7 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset c083e1e49af4902d15173d412feebd8b86a616ee.
Updated by Anonymous over 6 years ago
Running
grep -r '<script>alert(1)</script>' /
from shell on 2.4.2 generated an alert on Diag > System Activity.
But on pfSense-netgate-memstick-ADI-2.4.3-DEVELOPMENT-amd64-20180307-0900 no alert was generated (the issue appears fixed).