Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server-Side Reflected XSS via POST to /gosa/password.php #14

Closed
fmeum opened this issue May 23, 2018 · 4 comments
Closed

Server-Side Reflected XSS via POST to /gosa/password.php #14

fmeum opened this issue May 23, 2018 · 4 comments
Assignees

Comments

@fmeum
Copy link
Contributor

fmeum commented May 23, 2018

(Published here as requested by Gonicus)

The /gosa/password.php endpoint fails to sanitize the uid POST parameter, leading to a Server-Side Reflected XSS vulnerability as this parameter is later assigned to a Smarty variable of the same name and then rendered in the context of an HTML attribute in password.tpl. As a result, arbitrary JavaScript can be executed in the GOSA origin.
This vulnerability is very similar to the one reported as CVE-2014-9760, but uses a different endpoint.

Suggested fix (untested): Use set_post() to escape the value of uid before assigning it to the Smarty variable here.

@master-caster
Copy link
Contributor

Thank you for reporting.
I will check your proposal and create an appropriate patch.

@fmeum
Copy link
Contributor Author

fmeum commented May 29, 2018

Any update on this?

master-caster pushed a commit that referenced this issue Jun 4, 2018
escape html entities for uid to avoid code execution
@master-caster
Copy link
Contributor

Sorry for taking so long...

I checked some gosa installations to see if there is any user ID containing some "exotic" characters
that may be escaped as html entity by the function set_post().

@fmeum
Copy link
Contributor Author

fmeum commented Jun 4, 2018

Thanks for checking! Note though that this has already been used as a fix elsewhere in gosa: CVE-2014-9760, so it should not break any user IDs that are not already broken.

@fmeum fmeum closed this as completed Jul 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants