Created attachment 675 [details] Stored XSS PoC Image. Watch PoC video given in the description for more details. Hi Team, Topic: Stored XSS (Cross-site Scripting) Severity: Critical Product: IPFire - The Open Source Firewall Module: WebGUI Bug Found: Friday 07 May 2019 Affects: IPFire 2.21 (x86_64) - Core Update 130 1. Problem Description An authenticated Stored XSS (Cross-site Scripting) exists in the (https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the "Title of Login Page" text box or "TITLE" parameter. This is due to a lack of user input validation in "Title of Login Page" text box or "TITLE" parameter. It allows an authenticated WebGUI user with privileges for the affected page to execute Stored Cross-site Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which helps attacker to redirect the victim to a attacker's page. The Stored XSS get prompted on the victims page whenever victim tries to access the Captive Portal page. 2. Impact An attacker get access to the victim's session by performing the CSRF and gather the cookie and session id's or possibly can change the victims configuration using this Stored XSS. This attack can possibly spoof the victim's informations. 3. Solution Need to validate the user input and also need to encode the special characters in configuration pages. Ref: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md 4. Credits Name: Dharmesh Baskaran URL: https://www.linkedin.com/in/dharmeshbaskaran PoC Video (PRIVATE): https://www.youtube.com/watch?v=5GoVj1cw1pE&feature=youtu.be
Thank you very much for submitting this bug report. I marked it as security sensitive, so it won't be publicly visible until a fix is available.
(In reply to Dharmesh B from comment #0) > PoC Video (PRIVATE): > https://www.youtube.com/watch?v=5GoVj1cw1pE&feature=youtu.be This video is "unavailable". You can upload it as an attachment.
Created attachment 676 [details] Proposed patch Would you please test this and check if this fixes the issue?
Hi Michael, Sure. I will follow up and help you for this issue until its fixed. I'm really sorry for the link that couldn't able to access. Try this link and let me know if it's working. https://youtu.be/5GoVj1cw1pE I couldn't able to upload the PoC video due file size restrictions. Try the above link and let me know whether you can able to access. Regards, Dharmesh B
Thanks for your quick reply. The video still doesn’t work, but I think I have a clue about what the problem is.
I've figured it out the issue on sharing the link. Now it works. Well that's sounds great. Whenever you have doubt, you can check this PoC link. https://youtu.be/5GoVj1cw1pE
Did you get a chance to confirm that the patch works? I tried this with the exact input from your video and the XSS vulnerability is gone. The value is now escaped before being stored. (In reply to Dharmesh B from comment #6) > I've figured it out the issue on sharing the link. Now it works. Well that's > sounds great. Whenever you have doubt, you can check this PoC link. > > https://youtu.be/5GoVj1cw1pE
Hi Michael Tremer, So before testing do I need to update my IPFire? If so I tried updating the IPFire but I couldn't able to update it as mentioned commands in below link. https://blog.ipfire.org/post/ipfire-2-23-core-update-131-has-been-updated It throws me an error PAKFIRE ERROR: You need to be online to run pakfire!
Created attachment 677 [details] Patched captive.cgi file No, this patch is not yet included in the update. I have attached the changed version of captive.cgi which you can copy to /srv/web/ipfire/cgi-bin/captive.cgi. That is the easiest way.
Created attachment 678 [details] attachment-31119-0.html No you don’t need to update the system. This patch doesn’t require anything from the update.
Created attachment 679 [details] Fixed
The issue got fixed and the script didn't get executed. :)
Great! Thanks for the feedback. Did you apply for a CVE number by any chance?
Yes. I have applied CVE for this issue. Yet I need to get response from them. When I receive the CVE id I'll let you know in this thread.
Okay, I will make this bug report public again and the fix has been merged into the "next" branch which will become Core Update 132. https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=462bc3d1595df12dd16a5d93f86a48e5bf33178b Thank you very much again for reporting this and helping to make IPFire more secure!
Hi Team, I have received the CVE for this vulnerability. Here is the CVE for this vulnerability "CVE-2020-19202" Once the writeup is created for this vulnerability on your website. Kindly share the link with me. Thanks and Regards, Dharmesh B
Hello, thank you for this. The fix has already been released almost two years ago: > https://blog.ipfire.org/post/ipfire-2-23-core-update-132-released You can use the release announcement or this bug report to refer to the problem.