Bug #16115
Updated by Jim Pingle about 2 months ago
The page at @vpn_ipsec_phase1.php@ does not perform sufficient validation on the @interface@ value submitted by users when creating or editing a Phase 1 entry. This value is sent back to the user without encoding in the IPsec Phase 1 list on @vpn_ipsec.php@, @vpn_ipsec_phase1.php@, which is a potential XSS vector. Creating a new entry with the following data reproduces the problem condition: <pre> { "descr": "XSS+Test", "iketype": "ikev2", "protocol": "inet", "interface": 'wan"><script>alert(\'XSS\')</script>', "remotegw": "198.51.100.254", "authentication_method": "pre_shared_key", "mode": "main", "myid_type": "myaddress", "myid_data": "", "peerid_type": "peeraddress", "peerid_data": "", "pskey": "14e1206aafd9bb66a9469c0ee1f570c60ccb283b7cca6192fecf78e1", "ealgo_algo0": "aes", "ealgo_keylen0": "128", "halgo0": "sha256", "dhgroup0": "14", "prfalgo0": "sha256", "lifetime": "28800", "rekey_time": "", "reauth_time": "", "rand_time": "", "startaction": "", "closeaction": "", "nat_traversal": "on", "mobike": "off", "ikeport": "", "nattport": "", "dpd_enable": "yes", "dpd_delay": "10", "dpd_maxfail": "5", "ikeid": "", "save": "Save" } </pre>