From 0e302b1efc06e0aac4e46b1aa0a44610fcb52db7 Mon Sep 17 00:00:00 2001 From: Vincent Li Date: Fri, 3 Oct 2025 18:09:01 +0000 Subject: [PATCH] firewall.cgi: Fixes XSS potential commit 21539d63dfcb15f186309b3107f63d455e4008ea Author: Adolf Belka Date: Thu Oct 2 13:10:15 2025 +0200 firewall.cgi: Fixes XSS potential - Related to CVE-2025-50975 - Fixes PROT - ruleremark was already escaped when firewall.cgi was initially merged back in Core Update 77. - SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as ports or port ranges. - std_net_tgt is a string defined in the code and not a variable - The variable key ignores any input that is not a digit and subsequently uses the next free rulenumber digit Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer Signed-off-by: Vincent Li --- html/cgi-bin/firewall.cgi | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 6b1768243..4028f3858 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -2,7 +2,8 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx # +# Copyright (C) 2013-2025 IPFire Team # +# Copyright (C) 2024-2025 BPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -2400,6 +2401,7 @@ sub saverule $fwdfwsettings{'ruleremark'}=~ s/,/;/g; utf8::decode($fwdfwsettings{'ruleremark'}); $fwdfwsettings{'ruleremark'}=&Header::escape($fwdfwsettings{'ruleremark'}); + $fwdfwsettings{'PROT'}=&Header::escape($fwdfwsettings{'PROT'}); if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};