0001362: Reflected XSS in printer.php's img_src, font_size and $_SERVER[REQUEST_URI] - PacketFence

# # Security fix for XSS in Web Admin's printer.php (#1362) # Licensed under the GPLv2 # Olivier Bilodeau <obilodeau@inverse.ca> # old_revision [4e7b8374a86e26fccebb4adc9385047431f3e1ea] # # patch "pf/html/admin/footer.php" # from [67a9b2cb5bb74696d168be4ef367111dc975fd77] # to [93a8a69e2a07df95ba5cff677273bfd55290b839] # # patch "pf/html/admin/printer.php" # from [c1b9ca5e1b9bcbd80a85a025d6960cad9e012765] # to [fe3722f9320d6bf1327b5a8b343e0966384a4a8b] # ============================================================ --- pf/html/admin/footer.php 67a9b2cb5bb74696d168be4ef367111dc975fd77 +++ pf/html/admin/footer.php 93a8a69e2a07df95ba5cff677273bfd55290b839 @@ -21,7 +21,7 @@ * * @author Olivier Bilodeau <obilodeau@inverse.ca> * @author Dominik Gehl <dgehl@inverse.ca> - * @copyright 2008-2011 Inverse inc. + * @copyright 2008-2012 Inverse inc. * @license http://opensource.org/licenses/gpl-2.0.php GPL */ ?> @@ -53,7 +53,7 @@ print "<a href=\"javascript:popUp('/exporter.php?current_top=$current_top&current_sub=$current_sub','175','1200')\"><img border=0 src='images/csv.png' alt='Download CSV of this data' title='Download CSV of this data'></a>"; } if(isset($is_printable) && $is_printable){ - print "<a href='/printer.php?current_top=$current_top&current_sub=$current_sub&img_src=".urlencode($img_src)."' target=_NEW><img border=0 src='images/printer.png' alt='View a Printer Friendly Version' title='View a Printer Friendly Version'></a>"; + print "<a href='/printer.php?current_top=$current_top&current_sub=$current_sub' target='_blank'><img border=0 src='images/printer.png' alt='View a Printer Friendly Version' title='View a Printer Friendly Version'></a>"; } ?> </td> ============================================================ --- pf/html/admin/printer.php c1b9ca5e1b9bcbd80a85a025d6960cad9e012765 +++ pf/html/admin/printer.php fe3722f9320d6bf1327b5a8b343e0966384a4a8b @@ -1,8 +1,8 @@ <?php /** - * TODO short desc + * printer.php * - * TODO long desc + * Outputs table stored in session in a printer friendly format. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -19,8 +19,9 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, * USA. * + * @author Olivier Bilodeau <obilodeau@inverse.ca> * @author Dominik Gehl <dgehl@inverse.ca> - * @copyright 2008-2010 Inverse inc. + * @copyright 2008-2010, 2012 Inverse inc. * @license http://opensource.org/licenses/gpl-2.0.php GPL */ @@ -37,12 +38,8 @@ <body> <? - if($_GET['img_src']){ - print "<img src='$_GET[img_src]'>"; - } - - else if($_SESSION['table']){ + if($_SESSION['table']){ $table = unserialize($_SESSION['table']); #if($table->editable){ # array_pop($table->headers); @@ -51,12 +48,16 @@ print "<div id='printer'>"; $font_size = set_default($_GET['font_size'], 3); + # Anti-XSS + $font_size = htmlspecialchars($font_size, ENT_QUOTES | ENT_HTML401); + $uri = htmlspecialchars($_SERVER[REQUEST_URI], ENT_QUOTES | ENT_HTML401); + if($font_size < 5){ - print "<a href='".$_SERVER[REQUEST_URI]."&font_size=".($font_size+1)."'><img width='30px' border='0' src='images/big_font.gif' alt='Inbiggin Font'></a>"; + print "<a href='$uri&font_size=".($font_size+1)."'><img width='30px' border='0' src='images/big_font.gif' alt='Inbiggin Font'></a>"; } if($font_size > 1){ - print "<a href='".$_SERVER[REQUEST_URI]."&font_size=".($font_size-1)."'><img width='22px' border='0' src='images/small_font.gif' alt='Smallify Font'></a>"; - } + print "<a href='$uri&font_size=".($font_size-1)."'><img width='22px' border='0' src='images/small_font.gif' alt='Smallify Font'></a>"; + } print "<table border=1 style='border-collapse:collapse;'>"; print "<tr>"; @@ -72,11 +73,12 @@ } print "</tr>"; } - print "</table>"; - } + print "</table>"; + } else { + print "No data"; + } - ?>

Issue History
Date Modified	Username	Field	Change
2012-01-10 13:47	obilodeau	New Issue
2012-01-10 13:47	obilodeau	Status	new => assigned
2012-01-10 13:47	obilodeau	Assigned To	=> obilodeau
2012-01-10 14:09	obilodeau	Summary	Reflected XSS in printer.php's img_src => Reflected XSS in printer.php's img_src and font_size
2012-01-10 14:09	obilodeau	Description Updated
2012-01-10 14:41	obilodeau	Note Added: 0002527
2012-01-10 14:41	obilodeau	Summary	Reflected XSS in printer.php's img_src and font_size => Reflected XSS in printer.php's img_src, font_size and $_SERVER[REQUEST_URI]
2012-01-10 14:41	obilodeau	Description Updated
2012-01-10 15:03	obilodeau	File Added: security-fix-1362-xss-in-printer.php.patch
2012-01-10 15:03	obilodeau	Note Added: 0002528
2012-01-10 15:49	obilodeau	mtn revision	=> bc47f31583011d5bfc6612a1766ac2bb474a9718
2012-01-10 15:49	obilodeau	Note Added: 0002529
2012-01-10 15:49	obilodeau	Status	assigned => resolved
2012-01-10 15:49	obilodeau	Fixed in Version	=> trunk
2012-01-10 15:49	obilodeau	Resolution	open => fixed
2012-02-22 14:39	obilodeau	Note Added: 0002576
2012-02-22 14:39	obilodeau	View Status	private => public
2012-02-28 14:22	obilodeau	Target Version	+1 => 3.2.0
2012-02-28 14:22	obilodeau	Fixed in Version	trunk => 3.2.0
2012-02-28 14:31	obilodeau	Note Added: 0002587
2012-02-28 14:31	obilodeau	Status	resolved => closed

Notes
(0002527) obilodeau (reporter) 2012-01-10 14:41	Another one in $_SERVER[REQUEST_URI]. Need an old browser as current FF and Chrome didn't work, I needed a proxy to escape the URL encoding done by the browsers.

(0002528) obilodeau (reporter) 2012-01-10 15:03	attached patch

(0002529) obilodeau (reporter) 2012-01-10 15:49	fixed in trunk

(0002576) obilodeau (reporter) 2012-02-22 14:39	bug report now public

(0002587) obilodeau (reporter) 2012-02-28 14:31	Fixed in recently released 3.2.0.

Relationships