Project

General

Profile

Actions

Bug #9601

closed

Status_Monitoring rrd_fetch_json.php does not encode errors returned by the RRD module.

Added by Jim Pingle over 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Status_Monitoring
Target version:
Start date:
06/25/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:
All

Description

If rrd_fetch() produces an error, this error is sent back in JSON without any processing. If the user creates a specially-crafted set of parameters, the contents of the error may include user input.

In particular, sending timePeriod=i3i3j<script>alert('XSS')</script>tz9b1 in a POST string will result in an error which includes the original input:
{ "error" : "start time: unparsable time: endi3i3j<script>alert('XSS')</script>tz9b1+5min" }

Easiest method to reproduce:

curl -L -k --cookie-jar cookies.txt \
     https://192.168.1.1/ \
     | grep "name='__csrf_magic'" \
     | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
     --data-urlencode "login=Login" \
     --data-urlencode "usernamefld=admin" \
     --data-urlencode "passwordfld=pfsense" \
     --data-urlencode "__csrf_magic=$(cat csrf.txt)" \
     https://192.168.1.1/ > /dev/null

curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
    -d "left=system-processor&right=null&start=&end=&resolution=300&timePeriod=i3i3j<script>alert('XSS')</script>tz9b1&graphtype=line&invert=true&refreshInterval=0" \
    https://192.168.1.1/rrd_fetch_json.php

Actions #1

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Pushed a fix in Status_Monitoring version 1.7.8.

Before:

$ curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
>     -d "left=system-processor&right=null&start=&end=&resolution=300&timePeriod=i3i3j<script>alert('XSS')</script>tz9b1&graphtype=line&invert=true&refreshInterval=0" \
>     https://x.x.x.x/rrd_fetch_json.php
{ "error" : "start time: unparsable time: endi3i3j<script>alert('XSS')</script>tz9b1+5min" }

After:

$ curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
>     -d "left=system-processor&right=null&start=&end=&resolution=300&timePeriod=i3i3j<script>alert('XSS')</script>tz9b1&graphtype=line&invert=true&refreshInterval=0" \
>     https://x.x.x.x/rrd_fetch_json.php
{ "error" : "start time: unparsable time: endi3i3j<script>alert('XSS')<\/script>tz9b1+5min" }

Note the escaping on the After. Also confirmed in a browser that it no longer produces an alert after the fix, where it did before.

Actions #2

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved
  • Target version set to 2.4.5

This is OK on 2.4.5 and 2.5.0, the call returns the escaped version.

Actions #3

Updated by Jim Pingle over 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF