Project

General

Profile

Bug #9294

XSS issues on multiple pages

Added by Jim Pingle 6 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
Web Interface
Target version:
Start date:
01/29/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.x
Affected Architecture:
All

Description

A list of 30 XSS issues was posted publicly without following responsible disclosure practices, they all need tested/confirmed/fixed. Only 14 are unique, the rest are duplicated.

6 pages affected in total.

Report details:

ID Type URL Method Parameter Payload
XSS1 Reflected /system_advanced_admin.php Post webguiproto "><script>alert(1)</script>
XSS2 Reflected /interfaces_assign.php Post wan "><script>alert(2)</script>
XSS3/11/19 Stored /firewall_rules_edit.php Post dscp "><script>alert(3)</script>
XSS4/12/20 Stored /firewall_rules_edit.php Post tag "><script>alert(4)</script>
XSS5/13/21 Stored /firewall_rules_edit.php Post tagged "><script>alert(5)</script>
XSS6/14/22 Stored /firewall_rules_edit.php Post statetype "><script>alert(6)</script>
XSS7/15/23 Stored /firewall_rules_edit.php Post vlanprio "><script>alert(7)</script>
XSS8/16/24 Stored /firewall_rules_edit.php Post vlanprioset "><script>alert(8)</script>
XSS9/17/25 Stored /firewall_rules_edit.php Post dnpipe "><script>alert(9)</script>
XSS10/18/26 Stored /firewall_rules_edit.php Post defaultqueue "><script>alert(10)</script>
XSS27 Reflected /firewall_shaper.php Post name "><script>alert(27)</script>
XSS28 Stored /services_igmpproxy_edit.php Post address0 "><script>alert(28)</script>
XSS29 Stored /services_ntpd_gps.php Post gpstype "><script>alert(29)</script>
XSS30 Reflected /diag_traceroute.php Post host "><script>alert(30)</script>

- Exploit Author: Ozer Goker

Associated revisions

Revision 56888f24 (diff)
Added by Jim Pingle 6 months ago

Fix input validation of webguiproto. Issue #9294

Revision 5cc7d21d (diff)
Added by Jim Pingle 6 months ago

Validate submitted interfaces. Issue #9294

Revision 57ccd08b (diff)
Added by Jim Pingle 6 months ago

Encode traceroute error message. Issue #9294

Revision 93898860 (diff)
Added by Jim Pingle 6 months ago

Validate NTP GPS type, encode output. Issue #9294

Revision 261916e5 (diff)
Added by Jim Pingle 6 months ago

Input validation and encoding of IGMP proxy addresses. Issue #9294

Revision 1072b933 (diff)
Added by Jim Pingle 6 months ago

Encode shaper queue name before printing. Issue #9294

Validation is already present and prevents bad values from being
entered.

Revision 62baf077 (diff)
Added by Jim Pingle 6 months ago

Add validation and encoding to various firewall advanced values. Issue #9294

Revision 10b06be5 (diff)
Added by Jim Pingle 6 months ago

Fix input validation of webguiproto. Issue #9294

(cherry picked from commit 56888f24ca2715e678a1324633a08d3a611b4136)

Revision 587c2d55 (diff)
Added by Jim Pingle 6 months ago

Validate submitted interfaces. Issue #9294

(cherry picked from commit 5cc7d21dc08be6c65a2bf7f8f4481dc13f4ae115)

Revision f39d3332 (diff)
Added by Jim Pingle 6 months ago

Encode traceroute error message. Issue #9294

(cherry picked from commit 57ccd08bf7ee05b9a00750a1fd9cf8f148e0c9ac)

Revision ca0234c3 (diff)
Added by Jim Pingle 6 months ago

Validate NTP GPS type, encode output. Issue #9294

(cherry picked from commit 938988609c306fcd44e25a053745c4b8332eeeb5)

Revision 7e9de4b1 (diff)
Added by Jim Pingle 6 months ago

Input validation and encoding of IGMP proxy addresses. Issue #9294

(cherry picked from commit 261916e5d3f833a58d5cef1afdadc7495ec2c74b)

Revision 9712ce4e (diff)
Added by Jim Pingle 6 months ago

Encode shaper queue name before printing. Issue #9294

Validation is already present and prevents bad values from being
entered.

(cherry picked from commit 1072b9333c47df593420937361349b09a9b73639)

Revision 5c4fef46 (diff)
Added by Jim Pingle 6 months ago

Add validation and encoding to various firewall advanced values. Issue #9294

(cherry picked from commit 62baf0777924b2c21c832db3c0040988e7451c61)

History

#1 Updated by Jim Pingle 6 months ago

  • XSS1 - Reproduced during redirect when changing protocols, added validation for the input and redirect
  • XSS2 - Unable to reproduce directly as stated, the submitted value was not printed back to the user anywhere on that page. I added validation anyhow.
  • XSS3-26 - Reproduced issues with bad values displayed on firewall_rules.php via firewall_check_for_advanced_options() in guiconfig.inc. Added encoding to that function.
  • XSS3/11/19 - Added DSCP value validation.
  • XSS4/12/20 - Added tag value validation.
  • XSS5/13/21 - Added tagged value validation.
  • XSS6/14/22 - Added statetype validation.
  • XSS7/15/23 - Added vlanprio validation.
  • XSS8/16/24 - Added vlanprioset validation.
  • XSS9/17/25 - Added dnpipe/pdnpipe validation.
  • XSS10/18/26 - Added ackqueue/defaultqueue validation.
  • XSS27 - Unable to reproduce as stated. New queue name field has input validation that prevents the input, old queue name is scrubbed before use when editing. Only way I could come close was to hand edit the bad value into config.xml. I added encoding to help there, but I wouldn't consider that a vulnerability as there is no way to reach that state other than directly editing the configuration.
  • XSS28 - Reproduced, but the actual problem was in the entry display on services_igmpproxy.php. Added encoding there, plus input validation on services_igmpproxy_edit.php
  • XSS29 - Could not reproduce directly, but I could see how it could be, though I couldn't make it happen with the given input or other variations. Added validation and fixed encoding of the value before use in JavaScript.
  • XSS30 - Reproduced, added encoding to the error message

#2 Updated by Jim Pingle 4 months ago

  • Target version changed from 48 to 2.5.0

#3 Updated by Jim Pingle 3 months ago

  • Parent task set to #9398

#4 Updated by Jim Pingle 2 months ago

  • Status changed from Confirmed to Feedback

These have all been handled but need testing and confirmation of the fixes.

#5 Updated by Jim Pingle 2 months ago

  • % Done changed from 0 to 100

#6 Updated by Jim Pingle 2 months ago

  • Target version changed from 2.5.0 to 2.4.4-p3

#7 Updated by Jim Pingle 2 months ago

  • Parent task changed from #9398 to #9515

#8 Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to Resolved
  • Private changed from Yes to No

Also available in: Atom PDF