Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 05 Apr 2016 22:37:58 +0100
From: Michael Tremer <>
Subject: CVE request: Remote command execution/XSS vulnerability after login
 in IPFire's web user interface


I would like to request a CVE number for the following two issues in the web
user interface of IPFire reported by Yann Cam [1].

We currently have an upstream bug report [2] that is non-public at the moment
and patches are under review by the reporter.

1) XSS in GET parameter in ipinfo.cgi

A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection
can be URLencoded with certain browsers or blocked with Anti-XSS engine.

This XSS works on IE and affect IPFire version <= 2.17 Core Update 99 for the
File /srv/web/ipfire/cgi-bin/ipinfo.cgi line 87 :
    &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname);

2) Remote command execution in proxy.cgi

Remote Command Execution in the proxy.cgi file. This file is protected from CSRF
execution. Affected version <= 2.17 Core Update 99 for the moment.

File /srv/web/ipfire/cgi-bin/proxy.cgi line 4137 :
    system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass");

The $str_pass isn't sanitized before execution in command line. It's possible to
change the "NCSA_PASS" and "NCSA_PASS_CONFIRM" post data with arbitrary data.

Thank you,

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.