Bug #16744: Potential XSS in Delegated Length value for Prefix Delegation on ``services_dhcpv6.php`` when using Kea - pfSense - pfSense bugtracker

Bug #16744

The page at @services_dhcpv6.php@ does not perform sufficient validation on the user input value of Delegated Length (@pddellen@) when saving settings. This value is subsequently used in JavaScript without encoding if the DHCP backend is set to Kea, encoding, which is a potential XSS vector. 

 The @pdprefixlen@ also lacks sufficient validation, but it does not appear to be vulnerable. 

 Creating an entry with a value such this example reproduces the problem condition: 

 <pre><code class="javascript"> 
 { 
     "if": "lan", 
     "pdprefix": "2001:db8:12:34::", 
     "pdprefixlen": "64", 
     "pddellen": '64" || alert(\"XSS\") || \"' 
     "denyunknown": "disabled", 
     "save": "Save", 
 } 
 </code></pre> 

 Simple POC attached.

Back

Project

General

Profile

pfSense

Bug #16744