From a8d93e014d11aeb4d25f09938f1ae73cd2c9fba7 Mon Sep 17 00:00:00 2001 From: Vincent Li Date: Fri, 3 Oct 2025 21:56:05 +0000 Subject: [PATCH] proxy.cgi: sync bug 12755 13893 fixes from ipfire commit f7c4f7d2968be6c9b786b7f7e46fdb8ac96c8104 Author: Michael Tremer Date: Thu Sep 25 17:32:51 2025 +0200 proxy.cgi: Escape parameters in the right place Signed-off-by: Michael Tremer commit e22ecef885c34462565ae20020a32a27d0585dc3 Author: Adolf Belka Date: Thu Sep 25 13:12:52 2025 +0200 proxy.cgi: Further fix for bug 13893 - Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the description for that bug. - bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi which is incorrect except for TLS_HOSTNAME. - The other parameters are from proxy.cgi but no mitigation was shown for those in the bug report. - This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 4cf0694e55305e368c4ca28da2db7481c8f08c5a Author: Adolf Belka Date: Thu Sep 25 13:12:51 2025 +0200 proxy.cgi: Fixes bug 13893 Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a63c51da8ea03896c3340960821fbacece58f861 Author: Adolf Belka Date: Tue May 6 16:10:10 2025 +0200 proxy.cgi: Fixes bug12755 - proxy auth problem with password longer than 8 chars - This makes the proxy local password management the same between chpasswd.cgi and proxy.cgi - Tested out on my vm testbed and was able to create and modify users and their passwords in the proxy.cgi page or modify a password for a specified user on the chpasswd.cgi page. This all happened successfully and was confirmed by testing out the local authentication. Fixes: bug12755 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer Signed-off-by: Vincent Li --- html/cgi-bin/proxy.cgi | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index c8e3576df..fdb7c6a77 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -20,7 +20,6 @@ ############################################################################### use strict; -use Apache::Htpasswd; use Scalar::Util qw(looks_like_number); # enable only the following on debugging purpose @@ -956,7 +955,8 @@ if ($netsettings{'BLUE_DEV'}) { } print <$Lang::tr{'advproxy visible hostname'}: - + END @@ -1075,13 +1075,15 @@ print <$Lang::tr{'proxy cachemgr'}: $Lang::tr{'advproxy admin mail'}: - + $Lang::tr{'proxy filedescriptors'}: * $Lang::tr{'proxy admin password'}: - + @@ -3977,8 +3979,14 @@ END print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n"; } - if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; } - if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; } + if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) + { + print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; + } + if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) + { + print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; + } print FILE "\n"; print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n"; @@ -3994,8 +4002,13 @@ END # login=*:password ($proxysettings{'FORWARD_USERNAME'} eq 'on') if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS')) { + $proxysettings{'UPSTREAM_USER'} = &Header::escape($proxysettings{'UPSTREAM_USER'}); print FILE " login=$proxysettings{'UPSTREAM_USER'}"; - if ($proxy1 eq 'YES') { print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; } + if ($proxy1 eq 'YES') + { + $proxysettings{'UPSTREAM_PASSWORD'} = &Header::escape($proxysettings{'UPSTREAM_PASSWORD'}); + print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; + } } elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; } @@ -4050,15 +4063,7 @@ sub adduser close(FILE); } else { &deluser($str_user); - - my %htpasswd_options = ( - passwdFile => "$userdb", - UseMD5 => 1, - ); - - my $htpasswd = new Apache::Htpasswd(\%htpasswd_options); - - $htpasswd->htpasswd($str_user, $str_pass); + &General::system("/usr/bin/htpasswd", "-bB", "-C 10", "$userdb", "$str_user", "$str_pass"); } if ($str_group eq 'standard') { open(FILE, ">>$stdgrp");