Date: Tue, 05 Apr 2016 22:37:58 +0100 From: Michael Tremer <michael.tremer@...ire.org> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: CVE request: Remote command execution/XSS vulnerability after login in IPFire's web user interface Hello, I would like to request a CVE number for the following two issues in the web user interface of IPFire reported by Yann Cam . We currently have an upstream bug report  that is non-public at the moment and patches are under review by the reporter. 1) XSS in GET parameter in ipinfo.cgi A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection can be URLencoded with certain browsers or blocked with Anti-XSS engine. This XSS works on IE and affect IPFire version <= 2.17 Core Update 99 for the moment. File /srv/web/ipfire/cgi-bin/ipinfo.cgi line 87 : &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname); 2) Remote command execution in proxy.cgi Remote Command Execution in the proxy.cgi file. This file is protected from CSRF execution. Affected version <= 2.17 Core Update 99 for the moment. File /srv/web/ipfire/cgi-bin/proxy.cgi line 4137 : system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass"); The $str_pass isn't sanitized before execution in command line. It's possible to change the "NCSA_PASS" and "NCSA_PASS_CONFIRM" post data with arbitrary data. Thank you, -Michael  https://www.asafety.fr/data/20160403_-_IPFire_2.17_i586_Core_Update_99_Remote_Command_Execution.txt  https://bugzilla.ipfire.org/show_bug.cgi?id=11087 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.