PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001296PacketFencesecuritypublic2011-10-03 12:252011-10-24 20:17
Reportermattd 
Assigned Toobilodeau 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Versiondevel 
Target Version3.0.2Fixed in Version3.0.2 
fixed in git revision
fixed in mtn revision92f9741dafd035ed1617b8ebb8d6a467cb0f1edb
Summary0001296: XSS in captive portal web interface (several files)
DescriptionIn the following scripts of the captive portal web interface (html/captive-portal/):
* guest-selfregistration.cgi
* mobile-confirmation.cgi
* redir.cgi
* register.cgi

..the 'destination_url' parameter, passed in as an HTTP GET or POST parameter, is not escaped in script output, leading to XSS.
Steps To Reproduce
Additional InformationA sample request, triggering the XSS in register.cgi:
register.cgi?mode=release&destination_url=%22%2balert%28document.cookie%29%2b%22
TagsNo tags attached.
Relationships
Attached Filespatch security-fix-1296-destination-url-XSS.patch (14,377) 2011-10-13 17:23
https://www.packetfence.org/bugs/file_download.php?file_id=113&type=bug
Issue History
Date ModifiedUsernameFieldChange
2011-10-03 12:25mattdNew Issue
2011-10-06 12:53obilodeauStatusnew => assigned
2011-10-06 12:53obilodeauAssigned To => obilodeau
2011-10-13 17:23obilodeauFile Added: security-fix-1296-destination-url-XSS.patch
2011-10-13 17:35obilodeaumtn revision => 92f9741dafd035ed1617b8ebb8d6a467cb0f1edb
2011-10-13 17:35obilodeauNote Added: 0002345
2011-10-13 17:35obilodeauStatusassigned => resolved
2011-10-13 17:35obilodeauFixed in Version => +1
2011-10-13 17:35obilodeauResolutionopen => fixed
2011-10-17 10:38obilodeauNote Added: 0002363
2011-10-24 16:45obilodeauView Statusprivate => public
2011-10-24 20:15obilodeauTarget Version => 3.0.2
2011-10-24 20:15obilodeauNote Added: 0002392
2011-10-24 20:16obilodeauStatusresolved => closed
2011-10-24 20:17obilodeauFixed in Version+1 => 3.0.2

Notes
(0002345)
obilodeau   
2011-10-13 17:35   
De-entities and uri unescape on destination_url input and entities on output.

Fix will be released in 3.0.2 shortly.

Those you can't wait or who won't upgrade in a timely fashion should apply the attached patch. It might not apply as easily as you wish if you don't run 3.0 but the fix is so straightforward that you can probably hand-edit the thing. If you are running an old version don't forget to import HTML::Entities with 'use HTML::Entities;'.
(0002363)
obilodeau   
2011-10-17 10:38   
This vulnerability has been assigned: CVE-2011-4067
(0002392)
obilodeau   
2011-10-24 20:15   
fix released in 3.0.2