-
-
Notifications
You must be signed in to change notification settings - Fork 413
Lack of escaping on some pages can lead to XSS exposure (CVE-2020-7106) #3191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Remediation
Original:
Suggestion:
|
Wow great catch sir!! |
Thanks for your ongoing efforts to improve the code Chi, appreciated. If you already have a patch, you should submit it as a pull request so we can merge it. Since this is an XSS bug, if you could do that against the 1.2.x branch and include the CHANGELOG entry too, that would be perfect. |
Hi @netniV Thank you for your response. I am happy to do so. |
Yea, I found a few more. Comitting shortly. |
total files are:
Bummer. |
* Vulnerability report: Lack of escaping on some pages can lead to XSS exposure * Also cleaning up additional copyrights * Make the way filter headers are escaped consistent
Okay, just committed the fixes. That's from a pretty comprehensive audit. |
@smutranchi, if you can get a CVE number for this, it would be appreciated. |
Hi @cigamit , Thank you for your response. I have raised a CVE request. I will put it in here once I got the number. Sincerely, |
A CVE was assigned to this bug as: Please let me know if you need any further information. Best regards, |
If you can review the code change, that would add some validation to the fix. We will use the CVE in our notifications on the next release. |
A double review of the commit would be appreciated. |
I have just pulled new commits from 1.2.x branch and started reviewing. I will let you guys know if I found anything else. |
@cigamit is can see that several lines in this diff are still missing the e.g. 4cbb045#diff-317c61020ed4b560afa7e1760f261534R1155 or 4cbb045#diff-3398f8d2633c0b07fbd66bd7b8f75ecdR2018 Is it intentional ? |
Yes, if you follow the code, those two strings are included in a subsequent __esc() further in. |
Hi @cigamit , I noticed that when a report is created. In file lib/html_reports.php, function reports_generate_html() gets called with param $reports passed in. Tracing back to lib/reports.php where reports_generate_html() function is declared, I observed that the report tables prints $reports[‘name’] in raw. (Line 707 reports.php) Hence, if we send an XSS payload into field “Report Name”, it will still be executed when users navigate to tab Preview. |
Good catch. |
One additional lack of proper exscaping of stored database value.
Okay, got that one caught now. |
Hi @cigamit , I tried to trace from the Device description and got one more file that is affected. Then if admin turns on WEBLOG, And pop XSS diaglog when admin navigate to Logs tab from Menu bar |
I have just also made a change to 1.2.x branch on clog_webapi.php file. |
Thanks again Chi, I'll take a look and see about submitting it. |
Security: required more fixing like #3191((CVE-2020-7106))
Describe the bug
Data source input validation error leads to Stored XSS within Description after creating a device with Malicious code embedded in Description field.
To Reproduce
Steps to reproduce the behavior:
<svg/onload=alert(1)>
You might ask me questions about CSP and the whitelisting thing in config.php:
If I turned the whitelisting feature ON? YES
If I fixed html.php to append CSP policy? YES
Screenshots
The text was updated successfully, but these errors were encountered: