Created attachment 675 [details]
Stored XSS PoC Image. Watch PoC video given in the description for more details.
Topic: Stored XSS (Cross-site Scripting)
Product: IPFire - The Open Source Firewall
Bug Found: Friday 07 May 2019
Affects: IPFire 2.21 (x86_64) - Core Update 130
1. Problem Description
An authenticated Stored XSS (Cross-site Scripting) exists in the (https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the "Title of Login Page" text box or "TITLE" parameter. This is due to a lack of user input validation in "Title of Login Page" text box or "TITLE" parameter. It allows an authenticated WebGUI user with privileges for the affected page to execute Stored Cross-site Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which helps attacker to redirect the victim to a attacker's page. The Stored XSS get prompted on the victims page whenever victim tries to access the Captive Portal page.
An attacker get access to the victim's session by performing the CSRF and gather the cookie and session id's or possibly can change the victims configuration using this Stored XSS. This attack can possibly spoof the victim's informations.
Need to validate the user input and also need to encode the special characters in configuration pages.
Name: Dharmesh Baskaran
PoC Video (PRIVATE): https://www.youtube.com/watch?v=5GoVj1cw1pE&feature=youtu.be
Thank you very much for submitting this bug report.
I marked it as security sensitive, so it won't be publicly visible until a fix is available.
(In reply to Dharmesh B from comment #0)
> PoC Video (PRIVATE):
This video is "unavailable". You can upload it as an attachment.
Created attachment 676 [details]
Would you please test this and check if this fixes the issue?
Sure. I will follow up and help you for this issue until its fixed. I'm really sorry for the link that couldn't able to access. Try this link and let me know if it's working.
I couldn't able to upload the PoC video due file size restrictions. Try the above link and let me know whether you can able to access.
Thanks for your quick reply.
The video still doesn’t work, but I think I have a clue about what the problem is.
I've figured it out the issue on sharing the link. Now it works. Well that's sounds great. Whenever you have doubt, you can check this PoC link.
Did you get a chance to confirm that the patch works?
I tried this with the exact input from your video and the XSS vulnerability is gone. The value is now escaped before being stored.
(In reply to Dharmesh B from comment #6)
> I've figured it out the issue on sharing the link. Now it works. Well that's
> sounds great. Whenever you have doubt, you can check this PoC link.
Hi Michael Tremer,
So before testing do I need to update my IPFire?
If so I tried updating the IPFire but I couldn't able to update it as mentioned commands in below link.
It throws me an error
PAKFIRE ERROR: You need to be online to run pakfire!
Created attachment 677 [details]
Patched captive.cgi file
No, this patch is not yet included in the update. I have attached the changed version of captive.cgi which you can copy to /srv/web/ipfire/cgi-bin/captive.cgi. That is the easiest way.
Created attachment 678 [details]
No you don’t need to update the system. This patch doesn’t require anything from the update.
Created attachment 679 [details]
The issue got fixed and the script didn't get executed. :)
Great! Thanks for the feedback. Did you apply for a CVE number by any chance?
Yes. I have applied CVE for this issue. Yet I need to get response from them. When I receive the CVE id I'll let you know in this thread.
Okay, I will make this bug report public again and the fix has been merged into the "next" branch which will become Core Update 132.
Thank you very much again for reporting this and helping to make IPFire more secure!
I have received the CVE for this vulnerability.
Here is the CVE for this vulnerability "CVE-2020-19202"
Once the writeup is created for this vulnerability on your website. Kindly share the link with me.
Thanks and Regards,
thank you for this. The fix has already been released almost two years ago:
You can use the release announcement or this bug report to refer to the problem.