PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001362PacketFencesecuritypublic2012-01-10 13:472012-02-28 14:31
Reporterobilodeau 
Assigned Toobilodeau 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version3.2.0Fixed in Version3.2.0 
Summary0001362: Reflected XSS in printer.php's img_src, font_size and $_SERVER[REQUEST_URI]
DescriptionExploit PoC img_src:
https://packetfence:1443/printer.php?img_src=%27%3E%3Cscript%3Ealert%28%22Your%20admin%20cookies:%20%22%2bdocument.cookie%29;%3C/script%3E [^]

Exploit PoC font_size:
For the exploit to work, you'll have to get the user to load a valid Web Admin page with a table of data beforehand. It's required to see the font-size tags.
https://packetfence:1443/printer.php?current_top=node&current_sub=view&font_size=%27%3E%3Cscript%3Ealert%28%22Your%20admin%20cookies:%20%22%2bdocument.cookie%29;%3C/script%3E [^]

img_src:
After looking around, I didn't find a user passing img_src in the GET so the 'feature' will be removed entirely.

font_size: will be sanitized
TagsNo tags attached.
fixed in git revision
fixed in mtn revisionbc47f31583011d5bfc6612a1766ac2bb474a9718
Attached Filespatch file icon security-fix-1362-xss-in-printer.php.patch [^] (4,275 bytes) 2012-01-10 15:03 [Show Content]

- Relationships

-  Notes
(0002527)
obilodeau (reporter)
2012-01-10 14:41

Another one in $_SERVER[REQUEST_URI]. Need an old browser as current FF and Chrome didn't work, I needed a proxy to escape the URL encoding done by the browsers.
(0002528)
obilodeau (reporter)
2012-01-10 15:03

attached patch
(0002529)
obilodeau (reporter)
2012-01-10 15:49

fixed in trunk
(0002576)
obilodeau (reporter)
2012-02-22 14:39

bug report now public
(0002587)
obilodeau (reporter)
2012-02-28 14:31

Fixed in recently released 3.2.0.

- Issue History
Date Modified Username Field Change
2012-01-10 13:47 obilodeau New Issue
2012-01-10 13:47 obilodeau Status new => assigned
2012-01-10 13:47 obilodeau Assigned To => obilodeau
2012-01-10 14:09 obilodeau Summary Reflected XSS in printer.php's img_src => Reflected XSS in printer.php's img_src and font_size
2012-01-10 14:09 obilodeau Description Updated
2012-01-10 14:41 obilodeau Note Added: 0002527
2012-01-10 14:41 obilodeau Summary Reflected XSS in printer.php's img_src and font_size => Reflected XSS in printer.php's img_src, font_size and $_SERVER[REQUEST_URI]
2012-01-10 14:41 obilodeau Description Updated
2012-01-10 15:03 obilodeau File Added: security-fix-1362-xss-in-printer.php.patch
2012-01-10 15:03 obilodeau Note Added: 0002528
2012-01-10 15:49 obilodeau mtn revision => bc47f31583011d5bfc6612a1766ac2bb474a9718
2012-01-10 15:49 obilodeau Note Added: 0002529
2012-01-10 15:49 obilodeau Status assigned => resolved
2012-01-10 15:49 obilodeau Fixed in Version => trunk
2012-01-10 15:49 obilodeau Resolution open => fixed
2012-02-22 14:39 obilodeau Note Added: 0002576
2012-02-22 14:39 obilodeau View Status private => public
2012-02-28 14:22 obilodeau Target Version +1 => 3.2.0
2012-02-28 14:22 obilodeau Fixed in Version trunk => 3.2.0
2012-02-28 14:31 obilodeau Note Added: 0002587
2012-02-28 14:31 obilodeau Status resolved => closed


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker