-
-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lack of escaping on some pages can lead to XSS exposure #3549
Comments
Jing, can you request a CVE#? |
Case #2 is not repeatable in 1.2.12. |
Just request, to be reviewed |
Thanks @ddb4github! When I first started seeing these CVE's, it was upsetting as no one likes holes in their code, but at the same time we are very grateful that people are using the product and testing it thoroughly to help find these things 👍 Keep up the good work |
Several XSS Vulnerabilities. This resolves Case 6
Several XSS Vulnerabilities. This resolves Case 6
Okay, all resolved. Thanks Jing. |
append Case7,8 to Issue Desc area |
Append more cases Case #9 data_sources.php page with popup exist
Case #10 notify_lists.php with popup exist
Case #11 automation_graph_rules.php popup exist on page
Case #12 data_debug.php, edit a datasource with script has popup exist |
### Case #13 reports_admin.php, add an item with script, click send now, pop up exist
### Case #14 click a tree named with script has popup
### Case #3 data_input.php, delete,click a output/input field with script --still failed with the fix ### Case #4 graph_templates.php add graph items with a color named --failed with the fix |
Case #9 seems to be directly related to using drop_callback, as when you change the field to a textbox, the XSS doesn't exist. Case #10 is specific to Thold so should be opened against that repo. Case #11 is due to the Data Query drop down not being escaped. Case #12 is due to the title not being escaped on the Were we able to convert the title? line. Case #13 is due to the title not being escaped in the success/fail messages. Case #14 is something i was unable to reproduce. |
I have sorted 11 through 13, the rest are unresolved or unconfirmed. |
I've fixed a few more of these. I guess we need to hit a reset button. @yingbaiibm, can you summarize what is still outstanding? |
@TheWitness ok, I will check and summarize the status after we merge the new fix. |
@TheWitness Test using latest cacti code, make a summray like below. |
Okay. Should be all resolved now. |
@ddb4github and @yingbaiibm can you confirm? |
@TheWitness @netniV retest using latest code, 2 cases still have problem. passed 4, 7, 9, 15, 16, 17, 18,Failed 3, 19 |
Thanks for the feedback, we will look into it again. |
I believe that these two should be resolved now. Can you retest for me? Thank you so much for your time and patience. |
@netniV test using your new fix. passed for data_input case. |
I tried to reproduce it and the with my fix I seemed to no longer have the error. Can you give the page/mode you are using? |
Thanks for the PR. Saves me doing the same thing. I think I fixed it under somewhere else. |
Okay, looks like this is good then. Stored XSS makes peoples lives more interesting I guess. |
Found one more in lib/import.php. |
Describe the bug
Several XSS Vulnerabilities during XSS testing
To Reproduce
Case#1
<script>alert('test CVE');</script>
alert('test CVE')
as belowCase#2
name
of one ofAssociated Graph Templates
<script>alert('test CVE');</script>
x
icon of row right for the modified onealert('test CVE')
as belowCase#3
data_input.php, delete,click a output/input field with <script>alert('test CVE');</script>
Case#4
graph_templates.php add graph items with a color named <script>alert('test CVE');</script>
Case#5
<script>alert('SiteCore');</script>
<script>alert('hostname');</script>
, description:<script>alert('hostdesc');</script>
alert('SiteCore')
,alert('hostdesc')
,alert('hostname')
.Case#6
<script>alert('tree');</script>
Place on a Tree <script>alert('tree');</script>
alert('tree')
Case#7
<script>alert('gtemplatename');</script>
<script>alert('rptname');</script>
alert('gtemplatename')
only. And list mode will popup a extraalert('rptname')
Case#8
<script>alert('gtemplatename');</script>
Create Graphs for this Device
Desktop (please complete the following information)
The text was updated successfully, but these errors were encountered: