Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 05 Apr 2016 22:37:58 +0100
From: Michael Tremer <michael.tremer@...ire.org>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: CVE request: Remote command execution/XSS vulnerability after login
 in IPFire's web user interface

Hello,

I would like to request a CVE number for the following two issues in the web
user interface of IPFire reported by Yann Cam [1].

We currently have an upstream bug report [2] that is non-public at the moment
and patches are under review by the reporter.


1) XSS in GET parameter in ipinfo.cgi

A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection
can be URLencoded with certain browsers or blocked with Anti-XSS engine.

This XSS works on IE and affect IPFire version <= 2.17 Core Update 99 for the
moment.
 
File /srv/web/ipfire/cgi-bin/ipinfo.cgi line 87 :
    &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname);
 

2) Remote command execution in proxy.cgi

Remote Command Execution in the proxy.cgi file. This file is protected from CSRF
execution. Affected version <= 2.17 Core Update 99 for the moment.

File /srv/web/ipfire/cgi-bin/proxy.cgi line 4137 :
    system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass");

The $str_pass isn't sanitized before execution in command line. It's possible to
change the "NCSA_PASS" and "NCSA_PASS_CONFIRM" post data with arbitrary data.


Thank you,
-Michael

[1] https://www.asafety.fr/data/20160403_-_IPFire_2.17_i586_Core_Update_99_Remote_Command_Execution.txt
[2] https://bugzilla.ipfire.org/show_bug.cgi?id=11087
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ