New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS: Validate HTTP_X_FORWARDED_FOR header. #3439

Merged
merged 2 commits into from Nov 1, 2016

Conversation

Projects
None yet
1 participant
@protich
Member

protich commented Nov 1, 2016

Prior versions of osTicket blindly trusted http headers set by upstream proxies or agents. This pull request addresses possible remote XSS injection via X_FORWARDED_FOR header by introducing HTTP options to define a list of Trusted Proxies as well as address space of trusted Local Networks. CIDR notation (subnets) are supported.

HTTP Option: TRUSTED_PROXIES (default:
To support running osTicket installation on a web servers that sit behind a load balancer, HTTP cache, or other intermediary (reverse) proxy; it's necessary to define trusted proxies to protect against forged http headers.

HTTP Option: LOCAL_NETWORKS (default: 127.0.0.0/24)
When running osTicket as part of a cluster it might become necessary to white list local/virtual networks that can bypass some authentication checks.

Validate Upstream IP Addresses
Validate CLIENT_IP to make sure it's a valid IP address. Address prior entries by forcing html chars encoding on display.

protich added some commits Oct 26, 2016

XSS: Encode Helpdesk name/title
Encode html chars on helpdesk title
Add Trusted Proxies and LAN Options
* HTTP Option: TRUSTED_PROXIES (default: <none>
To support running osTicket installation on a web servers that sit behind a
load balancer, HTTP cache, or other intermediary (reverse) proxy; it's
necessary to define trusted proxies to protect against forged http headers.

* HTTP Option: LOCAL_NETWORKS (default: 127.0.0.0/24)
When running osTicket as part of a cluster it might become necessary to
white list local/virtual networks that can bypass some authentication
checks.

* Validate CLIENT_IP to make sure it's a valid IP address.

@protich protich merged commit de9b7d3 into osTicket:develop Nov 1, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment