Bug #16935
Updated by Jim Pingle 1 day ago
If a malicious user can register with siproxd using a specially-crafted registration URI, that string can be printed back to the user without encoding on @siproxd_registered_phones.php@. For example: <pre> Contact: <sip:<svg/onload="alert(String.fromCharCode(88,83,83))">@198.51.100.34:5088>;expires=600 </pre> An easy way to test is to copy the following data over @/var/siproxd/siproxd_registrations@ and refresh the page immediately: <pre> ****:1:1783365905 sip:<svg/onload="alert(String.fromCharCode(88,83,83))" sip:user@10.34.0.10:5061 sip:user@198.51.100.34:5061 </pre> Reported by: @lujiefsi