Actions
Bug #9294
closed
XSS issues on multiple pages
Start date:
01/29/2019
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:
All
Description
A list of 30 XSS issues was posted publicly without following responsible disclosure practices, they all need tested/confirmed/fixed. Only 14 are unique, the rest are duplicated.
6 pages affected in total.
Report details:
| ID | Type | URL | Method | Parameter | Payload |
|---|---|---|---|---|---|
| XSS1 | Reflected | /system_advanced_admin.php | Post | webguiproto | "><script>alert(1)</script> |
| XSS2 | Reflected | /interfaces_assign.php | Post | wan | "><script>alert(2)</script> |
| XSS3/11/19 | Stored | /firewall_rules_edit.php | Post | dscp | "><script>alert(3)</script> |
| XSS4/12/20 | Stored | /firewall_rules_edit.php | Post | tag | "><script>alert(4)</script> |
| XSS5/13/21 | Stored | /firewall_rules_edit.php | Post | tagged | "><script>alert(5)</script> |
| XSS6/14/22 | Stored | /firewall_rules_edit.php | Post | statetype | "><script>alert(6)</script> |
| XSS7/15/23 | Stored | /firewall_rules_edit.php | Post | vlanprio | "><script>alert(7)</script> |
| XSS8/16/24 | Stored | /firewall_rules_edit.php | Post | vlanprioset | "><script>alert(8)</script> |
| XSS9/17/25 | Stored | /firewall_rules_edit.php | Post | dnpipe | "><script>alert(9)</script> |
| XSS10/18/26 | Stored | /firewall_rules_edit.php | Post | defaultqueue | "><script>alert(10)</script> |
| XSS27 | Reflected | /firewall_shaper.php | Post | name | "><script>alert(27)</script> |
| XSS28 | Stored | /services_igmpproxy_edit.php | Post | address0 | "><script>alert(28)</script> |
| XSS29 | Stored | /services_ntpd_gps.php | Post | gpstype | "><script>alert(29)</script> |
| XSS30 | Reflected | /diag_traceroute.php | Post | host | "><script>alert(30)</script> |
- Exploit Author: Ozer Goker
Updated by Jim Pingle about 5 years ago
- XSS1 - Reproduced during redirect when changing protocols, added validation for the input and redirect
- XSS2 - Unable to reproduce directly as stated, the submitted value was not printed back to the user anywhere on that page. I added validation anyhow.
- XSS3-26 - Reproduced issues with bad values displayed on firewall_rules.php via firewall_check_for_advanced_options() in guiconfig.inc. Added encoding to that function.
- XSS3/11/19 - Added DSCP value validation.
- XSS4/12/20 - Added tag value validation.
- XSS5/13/21 - Added tagged value validation.
- XSS6/14/22 - Added statetype validation.
- XSS7/15/23 - Added vlanprio validation.
- XSS8/16/24 - Added vlanprioset validation.
- XSS9/17/25 - Added dnpipe/pdnpipe validation.
- XSS10/18/26 - Added ackqueue/defaultqueue validation.
- XSS27 - Unable to reproduce as stated. New queue name field has input validation that prevents the input, old queue name is scrubbed before use when editing. Only way I could come close was to hand edit the bad value into config.xml. I added encoding to help there, but I wouldn't consider that a vulnerability as there is no way to reach that state other than directly editing the configuration.
- XSS28 - Reproduced, but the actual problem was in the entry display on services_igmpproxy.php. Added encoding there, plus input validation on services_igmpproxy_edit.php
- XSS29 - Could not reproduce directly, but I could see how it could be, though I couldn't make it happen with the given input or other variations. Added validation and fixed encoding of the value before use in JavaScript.
- XSS30 - Reproduced, added encoding to the error message
Updated by Jim Pingle almost 5 years ago
- Status changed from Confirmed to Feedback
These have all been handled but need testing and confirmation of the fixes.
Updated by Jim Pingle almost 5 years ago
- Target version changed from 2.5.0 to 2.4.4-p3
Updated by Jim Pingle almost 5 years ago
- Parent task changed from #9398 to #9515
Updated by Jim Pingle almost 5 years ago
- Status changed from Feedback to Resolved
- Private changed from Yes to No
Actions