Date: Tue, 05 Apr 2016 22:37:58 +0100 From: Michael Tremer <michael.tremer@...ire.org> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: CVE request: Remote command execution/XSS vulnerability after login in IPFire's web user interface Hello, I would like to request a CVE number for the following two issues in the web user interface of IPFire reported by Yann Cam . We currently have an upstream bug report  that is non-public at the moment and patches are under review by the reporter. 1) XSS in GET parameter in ipinfo.cgi A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection can be URLencoded with certain browsers or blocked with Anti-XSS engine. This XSS works on IE and affect IPFire version <= 2.17 Core Update 99 for the moment. File /srv/web/ipfire/cgi-bin/ipinfo.cgi line 87 : &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname); 2) Remote command execution in proxy.cgi Remote Command Execution in the proxy.cgi file. This file is protected from CSRF execution. Affected version <= 2.17 Core Update 99 for the moment. File /srv/web/ipfire/cgi-bin/proxy.cgi line 4137 : system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass"); The $str_pass isn't sanitized before execution in command line. It's possible to change the "NCSA_PASS" and "NCSA_PASS_CONFIRM" post data with arbitrary data. Thank you, -Michael  https://www.asafety.fr/data/20160403_-_IPFire_2.17_i586_Core_Update_99_Remote_Command_Execution.txt  https://bugzilla.ipfire.org/show_bug.cgi?id=11087 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ