Bug #9294
closed
XSS issues on multiple pages
Added by Jim Pingle almost 6 years ago.
Updated over 5 years ago.
Affected Architecture:
All
Description
A list of 30 XSS issues was posted publicly without following responsible disclosure practices, they all need tested/confirmed/fixed. Only 14 are unique, the rest are duplicated.
6 pages affected in total.
Report details:
| ID |
Type |
URL |
Method |
Parameter |
Payload |
| XSS1 |
Reflected |
/system_advanced_admin.php |
Post |
webguiproto |
"><script>alert(1)</script> |
| XSS2 |
Reflected |
/interfaces_assign.php |
Post |
wan |
"><script>alert(2)</script> |
| XSS3/11/19 |
Stored |
/firewall_rules_edit.php |
Post |
dscp |
"><script>alert(3)</script> |
| XSS4/12/20 |
Stored |
/firewall_rules_edit.php |
Post |
tag |
"><script>alert(4)</script> |
| XSS5/13/21 |
Stored |
/firewall_rules_edit.php |
Post |
tagged |
"><script>alert(5)</script> |
| XSS6/14/22 |
Stored |
/firewall_rules_edit.php |
Post |
statetype |
"><script>alert(6)</script> |
| XSS7/15/23 |
Stored |
/firewall_rules_edit.php |
Post |
vlanprio |
"><script>alert(7)</script> |
| XSS8/16/24 |
Stored |
/firewall_rules_edit.php |
Post |
vlanprioset |
"><script>alert(8)</script> |
| XSS9/17/25 |
Stored |
/firewall_rules_edit.php |
Post |
dnpipe |
"><script>alert(9)</script> |
| XSS10/18/26 |
Stored |
/firewall_rules_edit.php |
Post |
defaultqueue |
"><script>alert(10)</script> |
| XSS27 |
Reflected |
/firewall_shaper.php |
Post |
name |
"><script>alert(27)</script> |
| XSS28 |
Stored |
/services_igmpproxy_edit.php |
Post |
address0 |
"><script>alert(28)</script> |
| XSS29 |
Stored |
/services_ntpd_gps.php |
Post |
gpstype |
"><script>alert(29)</script> |
| XSS30 |
Reflected |
/diag_traceroute.php |
Post |
host |
"><script>alert(30)</script> |
- Exploit Author: Ozer Goker
- XSS1 - Reproduced during redirect when changing protocols, added validation for the input and redirect
- XSS2 - Unable to reproduce directly as stated, the submitted value was not printed back to the user anywhere on that page. I added validation anyhow.
- XSS3-26 - Reproduced issues with bad values displayed on firewall_rules.php via firewall_check_for_advanced_options() in guiconfig.inc. Added encoding to that function.
- XSS3/11/19 - Added DSCP value validation.
- XSS4/12/20 - Added tag value validation.
- XSS5/13/21 - Added tagged value validation.
- XSS6/14/22 - Added statetype validation.
- XSS7/15/23 - Added vlanprio validation.
- XSS8/16/24 - Added vlanprioset validation.
- XSS9/17/25 - Added dnpipe/pdnpipe validation.
- XSS10/18/26 - Added ackqueue/defaultqueue validation.
- XSS27 - Unable to reproduce as stated. New queue name field has input validation that prevents the input, old queue name is scrubbed before use when editing. Only way I could come close was to hand edit the bad value into config.xml. I added encoding to help there, but I wouldn't consider that a vulnerability as there is no way to reach that state other than directly editing the configuration.
- XSS28 - Reproduced, but the actual problem was in the entry display on services_igmpproxy.php. Added encoding there, plus input validation on services_igmpproxy_edit.php
- XSS29 - Could not reproduce directly, but I could see how it could be, though I couldn't make it happen with the given input or other variations. Added validation and fixed encoding of the value before use in JavaScript.
- XSS30 - Reproduced, added encoding to the error message
- Target version changed from 48 to 2.5.0
- Status changed from Confirmed to Feedback
These have all been handled but need testing and confirmation of the fixes.
- % Done changed from 0 to 100
- Target version changed from 2.5.0 to 2.4.4-p3
- Parent task changed from #9398 to #9515
- Status changed from Feedback to Resolved
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by