XSS in custom (root) certificate #1964
Comments
|
@binaryfigments thanks for reporting, we will fix this before the next release. |
|
this 1219f2f should do the trick. can you test on your end to be sure? |
|
Sure! I'll give it a try. |
|
@AdSchellevis maybe there should be a separate channel for those bugs like an email address with a public GPG key to encrypt the mails to make sure there will not be any exploits in the wild using already fixed bugs before the next release. For example this (stored XSS) can be used for privilege escalation. CC @fichtner |
|
@AdSchellevis not completely fixed, found also an XSS vulnerability in certificate details view: |
|
@fabianfrz it's quite unlikely that this will surface in the wild, but for sensitive information there are email addresses in place (project) that people can (and do) use. I'm not entirely sure what the issue is in the certificate details view, your screenshots doesn't appear to have any script code in it. |
|
Either way, if people wish to disclose issues via GitHub they should be aware of their potential to be exploitable. Security issues can be reported via e-mail for coordinated fixes. The researcher / reporter is in charge of the course taken here. |
|
@AdSchellevis it shows as empty because it is being executed with the provided certificate. |
|
check, fixed in 66c5335 |
|
To be completely frank, I will push the fix even untested and breaking the page just to fix the XSS ;) |
|
merged to stable, happy about "ok" from the reporter despite ticket close :) |
|
@AdSchellevis your change broke the output: As you can see on the output, it strips tags. I provide a PR. |
|
@binaryfigments I just read your blog post and realised that another "thank you" is in order: thank you <3 For reference: https://binaryfigments.com/2017/12/11/dont-trust-all-ssl-tls-certificates/ |
I do not think the impact will be big, it only works with crafted certificates logged in as root.
It works on:
OPNsense 17.1.1-amd64
FreeBSD 11.0-RELEASE-p7
OpenSSL 1.0.2k 26 Jan 2017
And a just complete upgraded firewall installation.
URLs:
https://firewall/system_camanager.php
https://firewall/system_certmanager.php
While adding a custom certificate authority, you can trigger an XSS in the admin panel.
First, I went to Authorities and added the CA. No problems here.
Then I click further to certificates. (for adding a certificate to that fake root.
Here is the first pop-up.
Clicking these away this is the result:
Adding a certificate over there:
Here are the CA and certificate files I used.
fakeca.zip
The text was updated successfully, but these errors were encountered: