Project

General

Profile

Actions

Bug #8726

closed

Lack of input validation on custom GUI/dashboard settings leads to potential XSS

Added by Jim Pingle over 5 years ago. Updated 5 months ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Web Interface
Target version:
Start date:
07/31/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:
All

Description

There are a few fields that customize the dashboard and GUI that can be set globally on system.php or per-user on system_usermanager.php or system_user_settings.php. Of these, some allow configurable user input, including: webguicss, webguifixedmenu, webguihostnamemenu, and dashboardcolumns.

These fields rely on basic JS/select lists to enforce their values, which can be easily bypassed by a malicious client.

dashboardcolumns and likely the others can have a string inserted which can lead to a potential stored XSS.

These fields need to be validated on submission, and at least dashboardcolumns needs to be sanitized before display.

Actions

Also available in: Atom PDF