Project

General

Profile

Actions

Bug #8302

closed

traffic_graphs.widget.php potential XSS via settings

Added by Jim Pingle over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Dashboard
Target version:
Start date:
01/29/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:
All

Description

traffic_graphs.widget.php does not perform input validation on its settings, which can lead to a potential XSS due to the way the settings are used in JavaScript.

The widget needs input validation and to encode the setting output before use.

Actions #1

Updated by Jim Pingle over 3 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Anonymous over 3 years ago

On 2.4.2 CE, added traffic graph widget to dash, set refresh interval to 1s, saved, backed up config and edited the config.xml to replace <refreshinterval>1</refreshinterval>
with
<refreshinterval>"/><script>alert(1)</script></refreshinterval>

after the reboot, logged in and got an alert popup on the dashboard.

Upgraded to 2.4.3.a.20180308.0936, logged in, no alert popup on the dashboard, backed up config,
<refreshinterval>"/><script>alert(1)</script></refreshinterval>
still present in the config.

Cannot paste text with letters into the refresh interval field in Widget settings, results in "e1" showing up in the field. Also cannot type letters into the field.

Appears fixed.

Actions #3

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved
Actions #4

Updated by Jim Pingle over 3 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF