https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162019-06-25T11:58:06ZpfSense bugtrackerpfSense Packages - Bug #9601: Status_Monitoring rrd_fetch_json.php does not encode errors returned by the RRD module.https://redmine.pfsense.org/issues/9601?journal_id=409232019-06-25T11:58:06ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Pushed a fix in Status_Monitoring version 1.7.8.</p>
<p>Before:<br /><pre>
$ curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
> -d "left=system-processor&right=null&start=&end=&resolution=300&timePeriod=i3i3j<script>alert('XSS')</script>tz9b1&graphtype=line&invert=true&refreshInterval=0" \
> https://x.x.x.x/rrd_fetch_json.php
{ "error" : "start time: unparsable time: endi3i3j<script>alert('XSS')</script>tz9b1+5min" }
</pre></p>
<p>After:</p>
<pre>
$ curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
> -d "left=system-processor&right=null&start=&end=&resolution=300&timePeriod=i3i3j<script>alert('XSS')</script>tz9b1&graphtype=line&invert=true&refreshInterval=0" \
> https://x.x.x.x/rrd_fetch_json.php
{ "error" : "start time: unparsable time: endi3i3j<script>alert('XSS')<\/script>tz9b1+5min" }
</pre>
<p>Note the escaping on the After. Also confirmed in a browser that it no longer produces an alert after the fix, where it did before.</p> pfSense Packages - Bug #9601: Status_Monitoring rrd_fetch_json.php does not encode errors returned by the RRD module.https://redmine.pfsense.org/issues/9601?journal_id=442512020-01-17T10:35:28ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li><li><strong>Target version</strong> set to <i>2.4.5</i></li></ul><p>This is OK on 2.4.5 and 2.5.0, the call returns the escaped version.</p> pfSense Packages - Bug #9601: Status_Monitoring rrd_fetch_json.php does not encode errors returned by the RRD module.https://redmine.pfsense.org/issues/9601?journal_id=455602020-04-10T09:11:28ZJim Pingle
<ul><li><strong>Private</strong> changed from <i>Yes</i> to <i>No</i></li></ul>