PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001454PacketFencesecuritypublic2012-05-28 21:392012-06-14 12:16
Reporterobilodeau 
Assigned Toobilodeau 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version3.0.0 
Target Version3.4.0Fixed in Version3.4.0 
fixed in git revision3ae90433f6308b45b0990dc8aaa3a860617cf42a
fixed in mtn revision
Summary0001454: Reflected XSS in guest management
DescriptionTo reproduce browse to: https://webadmin:1443/guests/manage?columns="%3E%3Cscript%3Ealert%28%27XSS%20and%20thank%20you%20for%20your%20admin%20cookies%3A%20%27%20%2b%20document.cookie%29%3B%3C%2fscript%3E [^]
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2012-05-28 21:39obilodeauNew Issue
2012-05-28 21:49obilodeauNote Added: 0002735
2012-05-29 09:37obilodeaugit revision => 3ae90433f6308b45b0990dc8aaa3a860617cf42a
2012-05-29 09:37obilodeauStatusnew => resolved
2012-05-29 09:37obilodeauFixed in Version => +1
2012-05-29 09:37obilodeauResolutionopen => fixed
2012-05-29 09:37obilodeauAssigned To => obilodeau
2012-06-14 12:15obilodeauTarget Version => 3.4.0
2012-06-14 12:15obilodeauFixed in Version+1 => 3.4.0
2012-06-14 12:16obilodeauNote Added: 0002774
2012-06-14 12:16obilodeauStatusresolved => closed
2012-06-14 12:16obilodeauNote Added: 0002781
2012-06-14 12:16obilodeauView Statusprivate => public

Notes
(0002735)
obilodeau   
2012-05-28 21:49   
This naive fix seems to have effects on the javascript or something because the tab doesn't load by default anymore.. Experienced on firefox.

diff --git a/html/captive-portal/templates/guest/register_guest.html b/html/captive-portal/templates/guest/register_guest.html

index 0f57f9d..4e85847 100644
--- a/html/captive-portal/templates/guest/register_guest.html
+++ b/html/captive-portal/templates/guest/register_guest.html
@@ -136,7 +136,7 @@ var initialTabName = "single";
             </div>
             <div class="input">
               <span>[% i18n("Columns Order") %]*</span>
-              <input type="hidden" name="columns"id="columns_order" 
value="[% IF columns %][% columns %][% ELSE %]c_username,c_password[% END %]">
+              <input type="hidden" name="columns" id="columns_order" 
value="[% IF columns %][% columns | html %][% ELSE %]c_username,c_password[% END %]">
               <div class="note" id="columns">
                 <div class="column"><input type="checkbox" name="c_username" 
checked disabled><span>[% i18n("Username") %]</span><span class="order"><img 
src="/content/images/arrow_up_12x12.png"><
                 <div class="column"><input type="checkbox" name="c_password" 
checked disabled><span>[% i18n("Password") %]</span><span class="order"><img 
src="/content/images/arrow_up_12x12.png"><
(0002774)
obilodeau   
2012-06-14 12:16   
fix released in 3.4.0 yesterday
(0002781)
obilodeau   
2012-06-14 12:16   
security problem now public