| Summary: | Authenticated Stored XSS | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | Dharmesh B <dharmesh201093> |
| Component: | --- | Assignee: | Michael Tremer <michael.tremer> |
| Status: | CLOSED FIXED | QA Contact: | Arne.F <arne.fitzenreiter> |
| Severity: | Security | ||
| Priority: | - Unknown - | ||
| Version: | 2 | ||
| Hardware: | x86_64 | ||
| OS: | All | ||
| Attachments: |
Stored XSS PoC Image. Watch PoC video given in the description for more details.
Proposed patch Patched captive.cgi file attachment-31119-0.html Fixed |
||
|
Description
Dharmesh B
2019-05-07 18:33:53 UTC
Thank you very much for submitting this bug report. I marked it as security sensitive, so it won't be publicly visible until a fix is available. (In reply to Dharmesh B from comment #0) > PoC Video (PRIVATE): > https://www.youtube.com/watch?v=5GoVj1cw1pE&feature=youtu.be This video is "unavailable". You can upload it as an attachment. Created attachment 676 [details]
Proposed patch
Would you please test this and check if this fixes the issue?
Hi Michael, Sure. I will follow up and help you for this issue until its fixed. I'm really sorry for the link that couldn't able to access. Try this link and let me know if it's working. https://youtu.be/5GoVj1cw1pE I couldn't able to upload the PoC video due file size restrictions. Try the above link and let me know whether you can able to access. Regards, Dharmesh B Thanks for your quick reply. The video still doesn’t work, but I think I have a clue about what the problem is. I've figured it out the issue on sharing the link. Now it works. Well that's sounds great. Whenever you have doubt, you can check this PoC link. https://youtu.be/5GoVj1cw1pE Did you get a chance to confirm that the patch works? I tried this with the exact input from your video and the XSS vulnerability is gone. The value is now escaped before being stored. (In reply to Dharmesh B from comment #6) > I've figured it out the issue on sharing the link. Now it works. Well that's > sounds great. Whenever you have doubt, you can check this PoC link. > > https://youtu.be/5GoVj1cw1pE Hi Michael Tremer, So before testing do I need to update my IPFire? If so I tried updating the IPFire but I couldn't able to update it as mentioned commands in below link. https://blog.ipfire.org/post/ipfire-2-23-core-update-131-has-been-updated It throws me an error PAKFIRE ERROR: You need to be online to run pakfire! Created attachment 677 [details]
Patched captive.cgi file
No, this patch is not yet included in the update. I have attached the changed version of captive.cgi which you can copy to /srv/web/ipfire/cgi-bin/captive.cgi. That is the easiest way.
Created attachment 678 [details]
attachment-31119-0.html
No you don’t need to update the system. This patch doesn’t require anything from the update.
Created attachment 679 [details]
Fixed
The issue got fixed and the script didn't get executed. :) Great! Thanks for the feedback. Did you apply for a CVE number by any chance? Yes. I have applied CVE for this issue. Yet I need to get response from them. When I receive the CVE id I'll let you know in this thread. Okay, I will make this bug report public again and the fix has been merged into the "next" branch which will become Core Update 132. https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=462bc3d1595df12dd16a5d93f86a48e5bf33178b Thank you very much again for reporting this and helping to make IPFire more secure! Hi Team, I have received the CVE for this vulnerability. Here is the CVE for this vulnerability "CVE-2020-19202" Once the writeup is created for this vulnerability on your website. Kindly share the link with me. Thanks and Regards, Dharmesh B Hello,
thank you for this. The fix has already been released almost two years ago:
> https://blog.ipfire.org/post/ipfire-2-23-core-update-132-released
You can use the release announcement or this bug report to refer to the problem.
|