search

dennisaj / fusionpbx

Automatically exported from code.google.com/p/fusionpbx
0 stars 0 forks source link

XSS on the status_registrations.php page #931

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Visit <fusionpbx 
install>/app/registrations/status_registrations.php?profile=internal%26show%3D%2
7%3B%20alert(document.cookie);%20var%20a%20%3D%20%27
2. Observe your private cookie data being displayed before you.

What is the expected output? What do you see instead?
Any input should be sanitized before being passed between languages (in this 
case it's the PHP->JS that's the problem) as well as when being accepted from 
untrusted sources (such as the user)

What version of the product are you using? On what operating system?
FusionPBX 3.6.3 on Debian Wheezy

Please provide any additional information below.
I have not looked into it further, but I highly suspect there are other XSS 
vulnerabilities, and I would be very much not surprised if there were CSRF 
vulnerabilities as well (similar, but not identical). I don't really have time 
to dig them all up right now, so I wanted to start by reporting this one and 
generally getting a conversation about trusting user input going. This 
particular one arises from line 92 of 
app/registrations/status_registrations.php (there are actually 2 places where 
XSS is possible from that same line, the profile and show variables):

var url = 'status_registrations_inc.php?profile=<?php echo $profile; 
?>&show=<?php echo $show; ?>';

By setting the value of profile in the request to a URL encoded version of 
something like this:

internal&show='; alert(document.cookie); var a = '

an attacker is able to execute arbitrary javascript in the context of the 
FusionPBX installation with the cookies of the victim.

Original issue reported on code.google.com by thefin...@gmail.com on 20 Apr 2015 at 6:00

GoogleCodeExporter commented 9 years ago 
This has been fixed in revision 8316.
By limiting the value of $show = 'all' or an empty string.
if ($show != "all") { $show = ''; }

Took a look at show all in devices, cdr, and destinations and seems to be okay 
on those. If you find any others please report them.

Original comment by markjcrane@gmail.com on 25 Apr 2015 at 5:59

GoogleCodeExporter commented 9 years ago 
I haven't tested, but that looks like it would fix the XSS for the show 
variable, but not the profile variable. Take a look at the sample URL I posted, 
it's putting the XSS in the the value of $_GET['profile']

Original comment by thefin...@gmail.com on 26 Apr 2015 at 4:58