Project

General

Profile

Actions

Bug #9294

closed

XSS issues on multiple pages

Added by Jim Pingle almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
Web Interface
Target version:
Start date:
01/29/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:
All

Description

A list of 30 XSS issues was posted publicly without following responsible disclosure practices, they all need tested/confirmed/fixed. Only 14 are unique, the rest are duplicated.

6 pages affected in total.

Report details:

ID Type URL Method Parameter Payload
XSS1 Reflected /system_advanced_admin.php Post webguiproto "><script>alert(1)</script>
XSS2 Reflected /interfaces_assign.php Post wan "><script>alert(2)</script>
XSS3/11/19 Stored /firewall_rules_edit.php Post dscp "><script>alert(3)</script>
XSS4/12/20 Stored /firewall_rules_edit.php Post tag "><script>alert(4)</script>
XSS5/13/21 Stored /firewall_rules_edit.php Post tagged "><script>alert(5)</script>
XSS6/14/22 Stored /firewall_rules_edit.php Post statetype "><script>alert(6)</script>
XSS7/15/23 Stored /firewall_rules_edit.php Post vlanprio "><script>alert(7)</script>
XSS8/16/24 Stored /firewall_rules_edit.php Post vlanprioset "><script>alert(8)</script>
XSS9/17/25 Stored /firewall_rules_edit.php Post dnpipe "><script>alert(9)</script>
XSS10/18/26 Stored /firewall_rules_edit.php Post defaultqueue "><script>alert(10)</script>
XSS27 Reflected /firewall_shaper.php Post name "><script>alert(27)</script>
XSS28 Stored /services_igmpproxy_edit.php Post address0 "><script>alert(28)</script>
XSS29 Stored /services_ntpd_gps.php Post gpstype "><script>alert(29)</script>
XSS30 Reflected /diag_traceroute.php Post host "><script>alert(30)</script>

- Exploit Author: Ozer Goker

Actions #1

Updated by Jim Pingle almost 3 years ago

  • XSS1 - Reproduced during redirect when changing protocols, added validation for the input and redirect
  • XSS2 - Unable to reproduce directly as stated, the submitted value was not printed back to the user anywhere on that page. I added validation anyhow.
  • XSS3-26 - Reproduced issues with bad values displayed on firewall_rules.php via firewall_check_for_advanced_options() in guiconfig.inc. Added encoding to that function.
  • XSS3/11/19 - Added DSCP value validation.
  • XSS4/12/20 - Added tag value validation.
  • XSS5/13/21 - Added tagged value validation.
  • XSS6/14/22 - Added statetype validation.
  • XSS7/15/23 - Added vlanprio validation.
  • XSS8/16/24 - Added vlanprioset validation.
  • XSS9/17/25 - Added dnpipe/pdnpipe validation.
  • XSS10/18/26 - Added ackqueue/defaultqueue validation.
  • XSS27 - Unable to reproduce as stated. New queue name field has input validation that prevents the input, old queue name is scrubbed before use when editing. Only way I could come close was to hand edit the bad value into config.xml. I added encoding to help there, but I wouldn't consider that a vulnerability as there is no way to reach that state other than directly editing the configuration.
  • XSS28 - Reproduced, but the actual problem was in the entry display on services_igmpproxy.php. Added encoding there, plus input validation on services_igmpproxy_edit.php
  • XSS29 - Could not reproduce directly, but I could see how it could be, though I couldn't make it happen with the given input or other variations. Added validation and fixed encoding of the value before use in JavaScript.
  • XSS30 - Reproduced, added encoding to the error message
Actions #2

Updated by Jim Pingle over 2 years ago

  • Target version changed from 48 to 2.5.0
Actions #3

Updated by Jim Pingle over 2 years ago

  • Parent task set to #9398
Actions #4

Updated by Jim Pingle over 2 years ago

  • Status changed from Confirmed to Feedback

These have all been handled but need testing and confirmation of the fixes.

Actions #5

Updated by Jim Pingle over 2 years ago

  • % Done changed from 0 to 100
Actions #6

Updated by Jim Pingle over 2 years ago

  • Target version changed from 2.5.0 to 2.4.4-p3
Actions #7

Updated by Jim Pingle over 2 years ago

  • Parent task changed from #9398 to #9515
Actions #8

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to Resolved
  • Private changed from Yes to No
Actions

Also available in: Atom PDF