CVE request: Remote command execution/XSS vulnerability after login in IPFire's web user interface

[Michael Tremer <michael.tremer () ipfire org>]

Hello,

I would like to request a CVE number for the following two issues in the web
user interface of IPFire reported by Yann Cam [1].

We currently have an upstream bug report [2] that is non-public at the moment
and patches are under review by the reporter.


1) XSS in GET parameter in ipinfo.cgi

A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection
can be URLencoded with certain browsers or blocked with Anti-XSS engine.

This XSS works on IE and affect IPFire version <= 2.17 Core Update 99 for the
moment.
 
File /srv/web/ipfire/cgi-bin/ipinfo.cgi line 87 :
    &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname);
 

2) Remote command execution in proxy.cgi

Remote Command Execution in the proxy.cgi file. This file is protected from CSRF
execution. Affected version <= 2.17 Core Update 99 for the moment.

File /srv/web/ipfire/cgi-bin/proxy.cgi line 4137 :
    system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass");

The $str_pass isn't sanitized before execution in command line. It's possible to
change the "NCSA_PASS" and "NCSA_PASS_CONFIRM" post data with arbitrary data.


Thank you,
-Michael

[1] https://www.asafety.fr/data/20160403_-_IPFire_2.17_i586_Core_Update_99_Remote_Command_Execution.txt
[2] https://bugzilla.ipfire.org/show_bug.cgi?id=11087

Attachment: signature.asc
Description: This is a digitally signed message part