| Anonymous | Login | 2025-10-25 03:29 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | |||
| 0001454 | PacketFence | security | public | 2012-05-28 21:39 | 2012-06-14 12:16 | |||
| Reporter | obilodeau | |||||||
| Assigned To | obilodeau | |||||||
| Priority | high | Severity | major | Reproducibility | always | |||
| Status | closed | Resolution | fixed | |||||
| Platform | OS | OS Version | ||||||
| Product Version | 3.0.0 | |||||||
| Target Version | 3.4.0 | Fixed in Version | 3.4.0 | |||||
| Summary | 0001454: Reflected XSS in guest management | |||||||
| Description | To reproduce browse to: https://webadmin:1443/guests/manage?columns="%3E%3Cscript%3Ealert%28%27XSS%20and%20thank%20you%20for%20your%20admin%20cookies%3A%20%27%20%2b%20document.cookie%29%3B%3C%2fscript%3E [^] | |||||||
| Tags | No tags attached. | |||||||
| fixed in git revision | 3ae90433f6308b45b0990dc8aaa3a860617cf42a | |||||||
| fixed in mtn revision | ||||||||
| Attached Files | ||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0002735) obilodeau (reporter) 2012-05-28 21:49 |
This naive fix seems to have effects on the javascript or something because the tab doesn't load by default anymore.. Experienced on firefox.
diff --git a/html/captive-portal/templates/guest/register_guest.html b/html/captive-portal/templates/guest/register_guest.html
index 0f57f9d..4e85847 100644
--- a/html/captive-portal/templates/guest/register_guest.html
+++ b/html/captive-portal/templates/guest/register_guest.html
@@ -136,7 +136,7 @@ var initialTabName = "single";
</div>
<div class="input">
<span>[% i18n("Columns Order") %]*</span>
- <input type="hidden" name="columns"id="columns_order"
value="[% IF columns %][% columns %][% ELSE %]c_username,c_password[% END %]">
+ <input type="hidden" name="columns" id="columns_order"
value="[% IF columns %][% columns | html %][% ELSE %]c_username,c_password[% END %]">
<div class="note" id="columns">
<div class="column"><input type="checkbox" name="c_username"
checked disabled><span>[% i18n("Username") %]</span><span class="order"><img
src="/content/images/arrow_up_12x12.png"><
<div class="column"><input type="checkbox" name="c_password"
checked disabled><span>[% i18n("Password") %]</span><span class="order"><img
src="/content/images/arrow_up_12x12.png"><
|
|
(0002774) obilodeau (reporter) 2012-06-14 12:16 |
fix released in 3.4.0 yesterday |
|
(0002781) obilodeau (reporter) 2012-06-14 12:16 |
security problem now public |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2012-05-28 21:39 | obilodeau | New Issue | |
| 2012-05-28 21:49 | obilodeau | Note Added: 0002735 | |
| 2012-05-29 09:37 | obilodeau | git revision | => 3ae90433f6308b45b0990dc8aaa3a860617cf42a |
| 2012-05-29 09:37 | obilodeau | Status | new => resolved |
| 2012-05-29 09:37 | obilodeau | Fixed in Version | => +1 |
| 2012-05-29 09:37 | obilodeau | Resolution | open => fixed |
| 2012-05-29 09:37 | obilodeau | Assigned To | => obilodeau |
| 2012-06-14 12:15 | obilodeau | Target Version | => 3.4.0 |
| 2012-06-14 12:15 | obilodeau | Fixed in Version | +1 => 3.4.0 |
| 2012-06-14 12:16 | obilodeau | Note Added: 0002774 | |
| 2012-06-14 12:16 | obilodeau | Status | resolved => closed |
| 2012-06-14 12:16 | obilodeau | Note Added: 0002781 | |
| 2012-06-14 12:16 | obilodeau | View Status | private => public |
|
Issue History |
| Copyright © 2000 - 2012 MantisBT Group |
 |