Project

General

Profile

Bug #9294

XSS issues on multiple pages

Added by Jim Pingle 10 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
Web Interface
Target version:
Start date:
01/29/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.x
Affected Architecture:
All

Description

A list of 30 XSS issues was posted publicly without following responsible disclosure practices, they all need tested/confirmed/fixed. Only 14 are unique, the rest are duplicated.

6 pages affected in total.

Report details:

ID Type URL Method Parameter Payload
XSS1 Reflected /system_advanced_admin.php Post webguiproto "><script>alert(1)</script>
XSS2 Reflected /interfaces_assign.php Post wan "><script>alert(2)</script>
XSS3/11/19 Stored /firewall_rules_edit.php Post dscp "><script>alert(3)</script>
XSS4/12/20 Stored /firewall_rules_edit.php Post tag "><script>alert(4)</script>
XSS5/13/21 Stored /firewall_rules_edit.php Post tagged "><script>alert(5)</script>
XSS6/14/22 Stored /firewall_rules_edit.php Post statetype "><script>alert(6)</script>
XSS7/15/23 Stored /firewall_rules_edit.php Post vlanprio "><script>alert(7)</script>
XSS8/16/24 Stored /firewall_rules_edit.php Post vlanprioset "><script>alert(8)</script>
XSS9/17/25 Stored /firewall_rules_edit.php Post dnpipe "><script>alert(9)</script>
XSS10/18/26 Stored /firewall_rules_edit.php Post defaultqueue "><script>alert(10)</script>
XSS27 Reflected /firewall_shaper.php Post name "><script>alert(27)</script>
XSS28 Stored /services_igmpproxy_edit.php Post address0 "><script>alert(28)</script>
XSS29 Stored /services_ntpd_gps.php Post gpstype "><script>alert(29)</script>
XSS30 Reflected /diag_traceroute.php Post host "><script>alert(30)</script>

- Exploit Author: Ozer Goker

Associated revisions

Revision 56888f24 (diff)
Added by Jim Pingle 10 months ago

Fix input validation of webguiproto. Issue #9294

Revision 5cc7d21d (diff)
Added by Jim Pingle 10 months ago

Validate submitted interfaces. Issue #9294

Revision 57ccd08b (diff)
Added by Jim Pingle 10 months ago

Encode traceroute error message. Issue #9294

Revision 93898860 (diff)
Added by Jim Pingle 10 months ago

Validate NTP GPS type, encode output. Issue #9294

Revision 261916e5 (diff)
Added by Jim Pingle 10 months ago

Input validation and encoding of IGMP proxy addresses. Issue #9294

Revision 1072b933 (diff)
Added by Jim Pingle 10 months ago

Encode shaper queue name before printing. Issue #9294

Validation is already present and prevents bad values from being
entered.

Revision 62baf077 (diff)
Added by Jim Pingle 10 months ago

Add validation and encoding to various firewall advanced values. Issue #9294

Revision 10b06be5 (diff)
Added by Jim Pingle 10 months ago

Fix input validation of webguiproto. Issue #9294

(cherry picked from commit 56888f24ca2715e678a1324633a08d3a611b4136)

Revision 587c2d55 (diff)
Added by Jim Pingle 10 months ago

Validate submitted interfaces. Issue #9294

(cherry picked from commit 5cc7d21dc08be6c65a2bf7f8f4481dc13f4ae115)

Revision f39d3332 (diff)
Added by Jim Pingle 10 months ago

Encode traceroute error message. Issue #9294

(cherry picked from commit 57ccd08bf7ee05b9a00750a1fd9cf8f148e0c9ac)

Revision ca0234c3 (diff)
Added by Jim Pingle 10 months ago

Validate NTP GPS type, encode output. Issue #9294

(cherry picked from commit 938988609c306fcd44e25a053745c4b8332eeeb5)

Revision 7e9de4b1 (diff)
Added by Jim Pingle 10 months ago

Input validation and encoding of IGMP proxy addresses. Issue #9294

(cherry picked from commit 261916e5d3f833a58d5cef1afdadc7495ec2c74b)

Revision 9712ce4e (diff)
Added by Jim Pingle 10 months ago

Encode shaper queue name before printing. Issue #9294

Validation is already present and prevents bad values from being
entered.

(cherry picked from commit 1072b9333c47df593420937361349b09a9b73639)

Revision 5c4fef46 (diff)
Added by Jim Pingle 10 months ago

Add validation and encoding to various firewall advanced values. Issue #9294

(cherry picked from commit 62baf0777924b2c21c832db3c0040988e7451c61)

History

#1 Updated by Jim Pingle 10 months ago

  • XSS1 - Reproduced during redirect when changing protocols, added validation for the input and redirect
  • XSS2 - Unable to reproduce directly as stated, the submitted value was not printed back to the user anywhere on that page. I added validation anyhow.
  • XSS3-26 - Reproduced issues with bad values displayed on firewall_rules.php via firewall_check_for_advanced_options() in guiconfig.inc. Added encoding to that function.
  • XSS3/11/19 - Added DSCP value validation.
  • XSS4/12/20 - Added tag value validation.
  • XSS5/13/21 - Added tagged value validation.
  • XSS6/14/22 - Added statetype validation.
  • XSS7/15/23 - Added vlanprio validation.
  • XSS8/16/24 - Added vlanprioset validation.
  • XSS9/17/25 - Added dnpipe/pdnpipe validation.
  • XSS10/18/26 - Added ackqueue/defaultqueue validation.
  • XSS27 - Unable to reproduce as stated. New queue name field has input validation that prevents the input, old queue name is scrubbed before use when editing. Only way I could come close was to hand edit the bad value into config.xml. I added encoding to help there, but I wouldn't consider that a vulnerability as there is no way to reach that state other than directly editing the configuration.
  • XSS28 - Reproduced, but the actual problem was in the entry display on services_igmpproxy.php. Added encoding there, plus input validation on services_igmpproxy_edit.php
  • XSS29 - Could not reproduce directly, but I could see how it could be, though I couldn't make it happen with the given input or other variations. Added validation and fixed encoding of the value before use in JavaScript.
  • XSS30 - Reproduced, added encoding to the error message

#2 Updated by Jim Pingle 8 months ago

  • Target version changed from 48 to 2.5.0

#3 Updated by Jim Pingle 7 months ago

  • Parent task set to #9398

#4 Updated by Jim Pingle 6 months ago

  • Status changed from Confirmed to Feedback

These have all been handled but need testing and confirmation of the fixes.

#5 Updated by Jim Pingle 6 months ago

  • % Done changed from 0 to 100

#6 Updated by Jim Pingle 6 months ago

  • Target version changed from 2.5.0 to 2.4.4-p3

#7 Updated by Jim Pingle 6 months ago

  • Parent task changed from #9398 to #9515

#8 Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Resolved
  • Private changed from Yes to No

Also available in: Atom PDF