Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 05 Apr 2016 22:37:58 +0100
From: Michael Tremer <>
Subject: CVE request: Remote command execution/XSS vulnerability after login
 in IPFire's web user interface


I would like to request a CVE number for the following two issues in the web
user interface of IPFire reported by Yann Cam [1].

We currently have an upstream bug report [2] that is non-public at the moment
and patches are under review by the reporter.

1) XSS in GET parameter in ipinfo.cgi

A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection
can be URLencoded with certain browsers or blocked with Anti-XSS engine.

This XSS works on IE and affect IPFire version <= 2.17 Core Update 99 for the
File /srv/web/ipfire/cgi-bin/ipinfo.cgi line 87 :
    &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname);

2) Remote command execution in proxy.cgi

Remote Command Execution in the proxy.cgi file. This file is protected from CSRF
execution. Affected version <= 2.17 Core Update 99 for the moment.

File /srv/web/ipfire/cgi-bin/proxy.cgi line 4137 :
    system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass");

The $str_pass isn't sanitized before execution in command line. It's possible to
change the "NCSA_PASS" and "NCSA_PASS_CONFIRM" post data with arbitrary data.

Thank you,

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ