PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001296PacketFencesecuritypublic2011-10-03 12:252011-10-24 20:17
Reportermattd 
Assigned Toobilodeau 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Versiondevel 
Target Version3.0.2Fixed in Version3.0.2 
Summary0001296: XSS in captive portal web interface (several files)
DescriptionIn the following scripts of the captive portal web interface (html/captive-portal/):
* guest-selfregistration.cgi
* mobile-confirmation.cgi
* redir.cgi
* register.cgi

..the 'destination_url' parameter, passed in as an HTTP GET or POST parameter, is not escaped in script output, leading to XSS.
Additional InformationA sample request, triggering the XSS in register.cgi:
register.cgi?mode=release&destination_url=%22%2balert%28document.cookie%29%2b%22
TagsNo tags attached.
fixed in git revision
fixed in mtn revision92f9741dafd035ed1617b8ebb8d6a467cb0f1edb
Attached Filespatch file icon security-fix-1296-destination-url-XSS.patch [^] (14,377 bytes) 2011-10-13 17:23 [Show Content]

- Relationships

-  Notes
(0002345)
obilodeau (reporter)
2011-10-13 17:35

De-entities and uri unescape on destination_url input and entities on output.

Fix will be released in 3.0.2 shortly.

Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It might not apply as easily as you wish if you don't run 3.0 but the fix is so straightforward that you can probably hand-edit the thing. If you are running an old version don't forget to import HTML::Entities with 'use HTML::Entities;'.
(0002363)
obilodeau (reporter)
2011-10-17 10:38

This vulnerability has been assigned: CVE-2011-4067
(0002392)
obilodeau (reporter)
2011-10-24 20:15

fix released in 3.0.2

- Issue History
Date Modified Username Field Change
2011-10-03 12:25 mattd New Issue
2011-10-06 12:53 obilodeau Status new => assigned
2011-10-06 12:53 obilodeau Assigned To => obilodeau
2011-10-13 17:23 obilodeau File Added: security-fix-1296-destination-url-XSS.patch
2011-10-13 17:35 obilodeau mtn revision => 92f9741dafd035ed1617b8ebb8d6a467cb0f1edb
2011-10-13 17:35 obilodeau Note Added: 0002345
2011-10-13 17:35 obilodeau Status assigned => resolved
2011-10-13 17:35 obilodeau Fixed in Version => +1
2011-10-13 17:35 obilodeau Resolution open => fixed
2011-10-17 10:38 obilodeau Note Added: 0002363
2011-10-24 16:45 obilodeau View Status private => public
2011-10-24 20:15 obilodeau Target Version => 3.0.2
2011-10-24 20:15 obilodeau Note Added: 0002392
2011-10-24 20:16 obilodeau Status resolved => closed
2011-10-24 20:17 obilodeau Fixed in Version +1 => 3.0.2


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker