Bug 13892 (CVE-2025-34317)

Summary: /cgi-bin/dns.cgi TLS_HOSTNAME Stored Cross-Site Scripting
Product: IPFire Reporter: Wade Sparks <wsparks>
Component: ---Assignee: Adolf Belka <adolf.belka>
Status: MODIFIED --- QA Contact:
Severity: Security    
Priority: Will affect all users CC: adolf.belka, arne.fitzenreiter, michael.tremer, nobody, stefan.schantl
Version: 2Keywords: Security
Hardware: x86_64   
OS: Unspecified   
Bug Depends on: 13891    
Bug Blocks: 13893    
Attachments: Researcher Report

Description Wade Sparks 2025-09-23 23:01:43 UTC 
Created attachment 1679 [details]
Researcher Report

+++ This bug was initially created as a clone of Bug #13891 +++

I am a vulnerability analyst at VulnCheck responsible for managing our coordinated vulnerability disclosure (CVD) process. A researcher reported this vulnerability affecting IPFire, and VulnCheck is acting as the intermediary and coordinator.

We have tentatively reserved CVE-2025-34223, which have been shared with the researcher but will remain private until public disclosure:

Please be aware that none of this information is public at this moment and all participants are considered under embargo.

VulnCheck follows a 120-day disclosure policy, meaning we allow vendors/maintainers up to 120 days from the time of receiving the report to address the issues before publishing our advisory. For this vulnerability, that 120-day deadline falls on January 21, 2025.

---

When a user adds a new DNS entry, an HTTP POST request is sent to the Request-URI "/cgi-bin/dns.cgi". The TLS hostname is stored in the value of the parameter TLS_HOSTNAME.

The value of the TLS_HOSTNAME parameter is directly displayed without sanitizing for HTML-related characters or strings. This can result in stored cross-site scripting.

The attacker must be authenticated.

---

The attachment contains additional technical details, the affected pathway, and proof of concept.
Comment 2 Michael Tremer 2025-09-25 15:41:54 UTC 
Thank you, another follow-up patch:

> https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=db042629c0cae5b78eeddb8a9db8783c557138b0
Comment 3 Michael Tremer 2025-09-25 15:47:08 UTC 
Thank you very much everyone who has been working on this.

The IPFire team has carefully reviewed this and the other reports and we have submitted a number of patches for you to review. They are all linked above.

They have also already been merged to the development tree and therefore in line to be released with the next update:

> https://git.ipfire.org/?p=ipfire-2.x.git;a=shortlog;h=refs/heads/next

Please review the patches and confirm if they are fixing all problems that have been reported.

We are very grateful for your time and effort that you have brought towards these findings and for your contribution to make IPFire an even more secure firewall. Please feel free to report any future findings and if you have anything else to share with us, please contact security@ipfire.org.

I have made this bug report public again since patches are now available.
Comment 4 Wade Sparks 2025-09-25 16:12:59 UTC 
Thanks for the quick fixes! Do you know when they will be released?
Comment 5 Michael Tremer 2025-09-25 16:26:20 UTC 
(In reply to Wade Sparks from comment #4)
> Thanks for the quick fixes! Do you know when they will be released?

We don't have a release date, yet. But it will happen at some point in October.

Is there a way for us to credit the researcher that has been in touch with you? Would you like to be credited in the changelog?
Comment 6 Wade Sparks 2025-09-25 16:46:47 UTC 
Okay, we will keep an eye out for the release but would greatly appreciate a follow up when the release is pushed out.

Please credit "Alex Williams from Pellera Technologies" within the change log. Thank you!
Comment 7 Michael Tremer 2025-10-27 16:33:37 UTC 
The CVE numbers in the individual reports have been mixed up with some other projects. Here is an updated list:

#13876 - CVE-2025-34301
#13877 - CVE-2025-34302
#13878 - CVE-2025-34303
#13879 - CVE-2025-34304
#13880 - CVE-2025-34305
#13881 - CVE-2025-34306
#13882 - CVE-2025-34307
#13883 - CVE-2025-34308
#13884 - CVE-2025-34309
#13885 - CVE-2025-34310
#13886 - CVE-2025-34311
#13887 - CVE-2025-34312
#13888 - CVE-2025-34313
#13889 - CVE-2025-34314
#13890 - CVE-2025-34315
#13891 - CVE-2025-34316
#13892 - CVE-2025-34317
#13893 - CVE-2025-34318