New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix unescaped strings XSS issues #13554
Conversation
| @@ -18,5 +18,5 @@ | |||
| $vars['fromdevice'] = false; | |||
| require_once 'includes/html/modal/alert_details.php'; | |||
| require_once 'includes/html/common/alert-log.inc.php'; | |||
| echo implode('', $common_output); | |||
| echo htmlspecialchars(implode('', $common_output)); | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure $common_output is html. You will need to make any fixes in includes/html/common/alert-log.inc.php instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix it at the source ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Funny below it is cast to int (preventing xss)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't forget the other $common_output ones.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Funny below it is cast to int (preventing xss)
This seems like the (more) correct fix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand well the cast for int is for the function array_search. but the variable $selected_min_severity will keep the string value. Because there is a concat string .= in the second assign.
$selected_min_severity = '<option value="' . $_POST['min_severity'] . '" selected="selected">';
$selected_min_severity .= array_search((int) $_POST['min_severity'], $alert_severities) . '</option>';|
Thanks for the fixes! Some however escape strings that contain html or json. You'll need a different strategy for those. |
The changes are done to sanitize at the level of the sources instead of the sinks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good now @enferas
Thanks :)
|
Thanks for not only reporting these, but also stepping up to fixing them! |
It is my pleasure. Thank you for your fast responses and merging my pull request. |
|
3 CVEs are assigned. CVE-2021-44277 CVE-2021-44278 CVE-2021-44279 |
|
This pull request has been mentioned on LibreNMS Community. There might be relevant details there: |
|
This pull request has been mentioned on LibreNMS Community. There might be relevant details there: |
* Fix XSS vulnerabilities * fix XSS vulnerabilities in alerts.inc.php * fix XSS vulnerability in poller-groups.inc.php * small fix for the integration * another fix for the inegration * another fix for the inegration * change the sanitizer at sources instead of json_encode sinks * another change sanitizer at sources instead of json_encode sinks * another change sanitizer at sources instead of common_output and current_config sinks * fix path manipulation vulnerability
* Fix XSS vulnerabilities * fix XSS vulnerabilities in alerts.inc.php * fix XSS vulnerability in poller-groups.inc.php * small fix for the integration * another fix for the inegration * another fix for the inegration * change the sanitizer at sources instead of json_encode sinks * another change sanitizer at sources instead of json_encode sinks * another change sanitizer at sources instead of common_output and current_config sinks * fix path manipulation vulnerability
* Fix XSS vulnerabilities * fix XSS vulnerabilities in alerts.inc.php * fix XSS vulnerability in poller-groups.inc.php * small fix for the integration * another fix for the inegration * another fix for the inegration * change the sanitizer at sources instead of json_encode sinks * another change sanitizer at sources instead of json_encode sinks * another change sanitizer at sources instead of common_output and current_config sinks * fix path manipulation vulnerability
Fix XSS vulnerabilities in /include/html directory.
DO NOT DELETE THE UNDERLYING TEXT
Please note
Testers
If you would like to test this pull request then please run:
./scripts/github-apply <pr_id>, i.e./scripts/github-apply 5926After you are done testing, you can remove the changes with
./scripts/github-remove. If there are schema changes, you can ask on discord how to revert.