Bug #12725
Updated by Jim Pingle over 2 years ago
The @pkg_filter@ parameter on @pkg.php@ is not encoded before being printed back to the user, leading to a potential XSS. Additionally, submitting an invalid regex pattern prints an ugly PHP error on the page, for example: <pre> Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456 </pre> Both problems are solved by sanitizing the content of the variable and also by removing unnecessary output of the variable in question. The simplest way to reproduce the problem is: * Install is by installing a package such as FreeRADIUS which uses the list this feature of pkg.php on its *Users* tab. * Create a user or two if none exist * Submit a string in the "Filter text" field such as @--><script>alert('XSS')</script><!--@ to check for XSS and the PHP error * Submit and also a simple string in the "Filter text" field such as @one/two@ "one/two" to reproduce the PHP error without XSS Before the fix is in place, the first test will produce a JavaScript alert with the text "XSS" along with a PHP error on the page above the "Filter by" line. The second test will produce the PHP error but not the JS alert. After the fix is in place, neither string will produce an error and filter text that matches an existing account will filter the list appropriately. XSS.