Bug 12071 (CVE-2020-19202)

Summary: Authenticated Stored XSS
Product: IPFire Reporter: Dharmesh B <dharmesh201093>
Component: ---Assignee: Michael Tremer <michael.tremer>
Status: CLOSED FIXED QA Contact: Arne.F <arne.fitzenreiter>
Severity: Security    
Priority: - Unknown -    
Version: 2   
Hardware: x86_64   
OS: All   
Attachments: Stored XSS PoC Image. Watch PoC video given in the description for more details.
Proposed patch
Patched captive.cgi file
attachment-31119-0.html
Fixed

Description Dharmesh B 2019-05-07 18:33:53 UTC
Created attachment 675 [details]
Stored XSS PoC Image. Watch PoC video given in the description for more details.

Hi Team,

Topic:          Stored XSS (Cross-site Scripting)
Severity:	Critical
Product:        IPFire - The Open Source Firewall
Module:         WebGUI
Bug Found:	Friday 07 May 2019
Affects:        IPFire 2.21 (x86_64) - Core Update 130 

1. Problem Description

An authenticated Stored XSS (Cross-site Scripting) exists in the (https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the "Title of Login Page" text box  or "TITLE" parameter. This is due to a lack of user input validation in "Title of Login Page" text box  or "TITLE" parameter. It allows an authenticated WebGUI user with privileges for the affected page to execute Stored Cross-site Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which helps attacker to redirect the victim to a attacker's page. The Stored XSS get prompted on the victims page whenever victim tries to access the Captive Portal page.

2. Impact

An attacker get access to the victim's session by performing the CSRF and gather the cookie and session id's or possibly can change the victims configuration using this Stored XSS. This attack can possibly spoof the victim's informations.


3.   Solution

Need to validate the user input and also need to encode the special characters in configuration pages.

Ref: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md

4. Credits
Name: Dharmesh Baskaran
URL: https://www.linkedin.com/in/dharmeshbaskaran


PoC Video (PRIVATE): https://www.youtube.com/watch?v=5GoVj1cw1pE&feature=youtu.be
Comment 1 Michael Tremer 2019-05-07 21:25:33 UTC
Thank you very much for submitting this bug report.

I marked it as security sensitive, so it won't be publicly visible until a fix is available.
Comment 2 Michael Tremer 2019-05-07 21:27:03 UTC
(In reply to Dharmesh B from comment #0)
> PoC Video (PRIVATE):
> https://www.youtube.com/watch?v=5GoVj1cw1pE&feature=youtu.be

This video is "unavailable". You can upload it as an attachment.
Comment 3 Michael Tremer 2019-05-07 21:42:51 UTC
Created attachment 676 [details]
Proposed patch

Would you please test this and check if this fixes the issue?
Comment 4 Dharmesh B 2019-05-07 22:24:54 UTC
Hi Michael,

Sure. I will follow up and help you for this issue until its fixed. I'm really sorry for the link that couldn't able to access. Try this link and let me know if it's working. 

https://youtu.be/5GoVj1cw1pE

I couldn't able to upload the PoC video due file size restrictions. Try the above link and let me know whether you can able to access.

Regards,
Dharmesh B
Comment 5 Michael Tremer 2019-05-07 22:26:43 UTC
Thanks for your quick reply.

The video still doesn’t work, but I think I have a clue about what the problem is.
Comment 6 Dharmesh B 2019-05-07 22:42:03 UTC
I've figured it out the issue on sharing the link. Now it works. Well that's sounds great. Whenever you have doubt, you can check this PoC link.

https://youtu.be/5GoVj1cw1pE
Comment 7 Michael Tremer 2019-05-09 10:04:45 UTC
Did you get a chance to confirm that the patch works?

I tried this with the exact input from your video and the XSS vulnerability is gone. The value is now escaped before being stored.

(In reply to Dharmesh B from comment #6)
> I've figured it out the issue on sharing the link. Now it works. Well that's
> sounds great. Whenever you have doubt, you can check this PoC link.
> 
> https://youtu.be/5GoVj1cw1pE
Comment 8 Dharmesh B 2019-05-09 10:24:26 UTC
Hi Michael Tremer,

So before testing do I need to update my IPFire?

If so I tried updating the IPFire but I couldn't able to update it as mentioned commands in below link.

https://blog.ipfire.org/post/ipfire-2-23-core-update-131-has-been-updated


It throws me an error
PAKFIRE ERROR: You need to be online to run pakfire!
Comment 9 Michael Tremer 2019-05-09 10:28:55 UTC
Created attachment 677 [details]
Patched captive.cgi file

No, this patch is not yet included in the update. I have attached the changed version of captive.cgi which you can copy to /srv/web/ipfire/cgi-bin/captive.cgi. That is the easiest way.
Comment 10 Michael Tremer 2019-05-09 10:38:58 UTC
Created attachment 678 [details]
attachment-31119-0.html

No you don’t need to update the system. This patch doesn’t require anything from the update.
Comment 11 Dharmesh B 2019-05-09 13:00:37 UTC
Created attachment 679 [details]
Fixed
Comment 12 Dharmesh B 2019-05-09 13:02:05 UTC
The issue got fixed and the script didn't get executed. :)
Comment 13 Michael Tremer 2019-05-09 13:10:02 UTC
Great! Thanks for the feedback. Did you apply for a CVE number by any chance?
Comment 14 Dharmesh B 2019-05-09 13:30:10 UTC
Yes. I have applied CVE for this issue. Yet I need to get response from them. When I receive the CVE id I'll let you know in this thread.
Comment 15 Michael Tremer 2019-05-09 13:32:33 UTC
Okay, I will make this bug report public again and the fix has been merged into the "next" branch which will become Core Update 132.

https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=462bc3d1595df12dd16a5d93f86a48e5bf33178b

Thank you very much again for reporting this and helping to make IPFire more secure!
Comment 16 Dharmesh B 2021-05-20 19:21:27 UTC
Hi Team,

I have received the CVE for this vulnerability.

Here is the CVE for this vulnerability "CVE-2020-19202"

Once the writeup is created for this vulnerability on your website. Kindly share the link with me.

Thanks and Regards,
Dharmesh B
Comment 17 Michael Tremer 2021-05-21 08:41:29 UTC
Hello,

thank you for this. The fix has already been released almost two years ago:

> https://blog.ipfire.org/post/ipfire-2-23-core-update-132-released

You can use the release announcement or this bug report to refer to the problem.