oss-sec mailing list archives
CVE request: Remote command execution/XSS vulnerability after login in IPFire's web user interface
From: Michael Tremer <michael.tremer () ipfire org>
Date: Tue, 05 Apr 2016 22:37:58 +0100
Hello, I would like to request a CVE number for the following two issues in the web user interface of IPFire reported by Yann Cam [1]. We currently have an upstream bug report [2] that is non-public at the moment and patches are under review by the reporter. 1) XSS in GET parameter in ipinfo.cgi A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection can be URLencoded with certain browsers or blocked with Anti-XSS engine. This XSS works on IE and affect IPFire version <= 2.17 Core Update 99 for the moment. File /srv/web/ipfire/cgi-bin/ipinfo.cgi line 87 : &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname); 2) Remote command execution in proxy.cgi Remote Command Execution in the proxy.cgi file. This file is protected from CSRF execution. Affected version <= 2.17 Core Update 99 for the moment. File /srv/web/ipfire/cgi-bin/proxy.cgi line 4137 : system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass"); The $str_pass isn't sanitized before execution in command line. It's possible to change the "NCSA_PASS" and "NCSA_PASS_CONFIRM" post data with arbitrary data. Thank you, -Michael [1] https://www.asafety.fr/data/20160403_-_IPFire_2.17_i586_Core_Update_99_Remote_Command_Execution.txt [2] https://bugzilla.ipfire.org/show_bug.cgi?id=11087
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE request: Remote command execution/XSS vulnerability after login in IPFire's web user interface Michael Tremer (Apr 05)