webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 11:13:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

mail.cgi: Validate email recipient

Browse Source 
The email recipient was not correctly validated which allowed for some
stored cross-site scripting vulnerability.

Fixes: #12925 - JVN#15411362 Inquiry on vulnerability found in IPFire
Reported-by: Noriko Totsuka <vuls@jpcert.or.jp>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Michael Tremer
2022-09-06 13:58:22 +02:00
committed by Peter Müller
parent cc826e8628
commit 7cb63527d9
3 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
html/cgi-bin/mail.cgi
View File

@@ -283,6 +283,10 @@ sub checkmailsettings {
$errormessage .= "$Lang::tr{'email invalid'} $Lang::tr{'email mailsender'}<br>";
}
}
# Check for a valid recipient
if (!&General::validemail($cgiparams{'txt_recipient'})) {
$errormessage .= $Lang::tr{'email recipient invalid'} . "<br>";
}
return $errormessage;
}