Bug #16114
Updated by Jim Pingle about 2 months ago
The page at @firewall_schedule_edit.php@ does not perform sufficient validation on the @schedule@ values submitted by users. This value is sent back to the user on @firewall_schedule.php@ without encoding, which is a potential XSS vector. Furthermore, the value may also cause a PHP error on @firewall_schedule_edit.php@ which prevents further edits from being made to schedules.
Creating a new entry with the following data reproduces the problem condition:
<pre>
{
"name": "XSS_Test_Sched",
"descr": "XSS+Test",
"monthsel": "3",
"starttimehour": "0",
"starttimemin": "00",
"stoptimehour": "23",
"stoptimemin": "59",
"timerangedescr": "",
"tempFriendlyTime0": "Sun",
"starttime0": "0:00",
"stoptime0": "23:59",
"timedescr0": "",
"schedule0": "w11p3-m3d12\"><script>alert('XSS')</script>",
"marker": "",
"save": "Save"
}
</pre>
Attempting to edit the problematic entry will result in a PHP error:
<pre>
PHP Fatal error: Uncaught TypeError: mktime(): Argument #5 ($day) must be of type ?int, string given in /usr/local/www/firewall_schedule_edit.php:494
Stack trace:
#0 /usr/local/www/firewall_schedule_edit.php(494): mktime(0, 0, 0, '3', '12"><572025-03-...', '2025')
#1 {main}
thrown in /usr/local/www/firewall_schedule_edit.php on line 494
</pre>