From cc826e8628141abce615699a8c10592233dc467c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 9 Sep 2022 13:58:15 +0000 Subject: [PATCH 1/4] setaliases: Use "secondary" flag instead of scope The scope option does not seem to work at all now, which is surprising since I tested it quite well. The secondary flag cannot be set from userspace (aparently), but it works, so I would prefer to go with this option for now. Signed-off-by: Michael Tremer --- src/misc-progs/setaliases.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/misc-progs/setaliases.c b/src/misc-progs/setaliases.c index a541a4fd2..4b18ba325 100644 --- a/src/misc-progs/setaliases.c +++ b/src/misc-progs/setaliases.c @@ -28,8 +28,6 @@ struct keyvalue *kv = NULL; FILE *file = NULL; -#define SCOPE 128 - void exithandler(void) { if (kv) freekeyvalues(kv); @@ -125,7 +123,7 @@ int main(void) alias = 0; do { snprintf(command, STRING_SIZE - 1, - "ip addr flush dev red%d scope %d 2>/dev/null", alias++, SCOPE); + "ip addr flush secondary dev red%d 2>/dev/null", alias++); } while (safe_system(command) == 0); /* Now set up the new aliases from the config file */ @@ -184,8 +182,8 @@ int main(void) if (!intf) intf = red_dev; - snprintf(command, STRING_SIZE - 1, "ip addr add %s/%s dev %s scope %d", - aliasip, red_netmask, intf, SCOPE); + snprintf(command, STRING_SIZE - 1, "ip addr add %s/%s secondary dev %s 2>/dev/null", + aliasip, red_netmask, intf); safe_system(command); alias++; From 7cb63527d96c4610171feb580c9fcd27c3af26b6 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 6 Sep 2022 13:58:22 +0200 Subject: [PATCH 2/4] mail.cgi: Validate email recipient The email recipient was not correctly validated which allowed for some stored cross-site scripting vulnerability. Fixes: #12925 - JVN#15411362 Inquiry on vulnerability found in IPFire Reported-by: Noriko Totsuka Signed-off-by: Michael Tremer --- html/cgi-bin/mail.cgi | 4 ++++ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 6 insertions(+) diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi index 4ebc6b033..34f52ae01 100644 --- a/html/cgi-bin/mail.cgi +++ b/html/cgi-bin/mail.cgi @@ -283,6 +283,10 @@ sub checkmailsettings { $errormessage .= "$Lang::tr{'email invalid'} $Lang::tr{'email mailsender'}
"; } } + # Check for a valid recipient + if (!&General::validemail($cgiparams{'txt_recipient'})) { + $errormessage .= $Lang::tr{'email recipient invalid'} . "
"; + } return $errormessage; } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index d3b4c8687..0dbc90718 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -963,6 +963,7 @@ 'email mailrcpt' => 'E-Mail-Empfänger', 'email mailsender' => 'E-Mail-Absender', 'email mailuser' => 'Benutzername', +'email recipient invalid' => 'Ungültiger Emailempfänger', 'email server can not be empty' => 'E-Mail-Server darf nicht leer sein', 'email settings' => 'Mailversand', 'email subject' => 'IPFire Test-E-Mail', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 36f97de38..7de75ad3c 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1004,6 +1004,7 @@ 'email mailrcpt' => 'Mail Recipient', 'email mailsender' => 'Mail Sender', 'email mailuser' => 'Username', +'email recipient invalid' => 'Invalid email recipient', 'email server can not be empty' => 'E-mail server can not be empty', 'email settings' => 'Mail Service', 'email subject' => 'IPFire Test Mail', From ba4f53c56573d51be5e804f70965e82e5b271fd5 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 6 Sep 2022 14:15:54 +0200 Subject: [PATCH 3/4] proxy.cgi: Correctly validate domain lists Fixes: #12925 - JVN#15411362 Inquiry on vulnerability found in IPFire Reported-by: Noriko Totsuka Signed-off-by: Michael Tremer --- config/cfgroot/general-functions.pl | 11 +++++++++++ html/cgi-bin/proxy.cgi | 2 ++ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 4 files changed, 15 insertions(+) diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 16a05cecf..98bedb4b9 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -756,6 +756,17 @@ sub validdomainname return 1; } +sub validwildcarddomainname($) { + my $domainname = shift; + + # Ignore any leading dots + if ($domainname =~ m/^\*\.(.*)/) { + $domainname = $1; + } + + return &validdomainname($domainname); +} + sub validfqdn { # Checks a fully qualified domain name against RFC1035 and RFC2181 diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 0111a240b..577d37b93 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -2506,6 +2506,7 @@ sub check_acls if ($_) { if (/^\./) { $_ = '*'.$_; } + unless (&General::validwildcarddomainname($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid url'} . ": " . &Header::escape($_); } $proxysettings{'DST_NOCACHE'} .= $_."\n"; } } @@ -2604,6 +2605,7 @@ sub check_acls if ($_) { if (/^\./) { $_ = '*'.$_; } + unless (&General::validwildcarddomainname($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid url'} . ": " . &Header::escape($_); } $proxysettings{'DST_NOPROXY_URL'} .= $_."\n"; } } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 0dbc90718..cf31b9171 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -301,6 +301,7 @@ 'advproxy errmsg invalid proxy port' => 'Ungültiger Proxyport', 'advproxy errmsg invalid upstream proxy' => 'Ungültige IP/Hostname für vorgelagerten Proxy', 'advproxy errmsg invalid upstream proxy username or password setting' => 'Ungültiger Benutzername oder ungültiges Kennwort für vorgelagerten Proxy', +'advproxy errmsg invalid url' => 'Ungültige URL', 'advproxy errmsg invalid user' => 'Benutzername existiert nicht', 'advproxy errmsg ldap base dn' => 'LDAP Base DN erforderlich', 'advproxy errmsg ldap bind dn' => 'LDAP Bind DN Benutzername und Passwort erforderlich', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 7de75ad3c..11ba10f8f 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -298,6 +298,7 @@ 'advproxy errmsg invalid proxy port' => 'Invalid proxy port', 'advproxy errmsg invalid upstream proxy' => 'Invalid upstream proxy IP/hostname', 'advproxy errmsg invalid upstream proxy username or password setting' => 'Invalid upstream proxy username or password setting', +'advproxy errmsg invalid url' => 'Invalid URL', 'advproxy errmsg invalid user' => 'Username does not exist', 'advproxy errmsg ldap base dn' => 'LDAP base DN required', 'advproxy errmsg ldap bind dn' => 'LDAP bind DN username and password required', From a981a365a078f5840b32a76c4ad9aa75111a60f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Sun, 11 Sep 2022 08:13:27 +0000 Subject: [PATCH 4/4] Core Update 170: Ship files related to #12925 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Peter Müller --- config/rootfiles/core/170/filelists/files | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/rootfiles/core/170/filelists/files b/config/rootfiles/core/170/filelists/files index df8020847..d31e49ad3 100644 --- a/config/rootfiles/core/170/filelists/files +++ b/config/rootfiles/core/170/filelists/files @@ -4,7 +4,9 @@ opt/pakfire/pakfire srv/web/ipfire/cgi-bin/aliases.cgi srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/ipblocklist.cgi +srv/web/ipfire/cgi-bin/mail.cgi srv/web/ipfire/cgi-bin/pakfire.cgi +srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/services.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi srv/web/ipfire/cgi-bin/vulnerabilities.cgi @@ -22,6 +24,7 @@ usr/share/terminfo/t/tmux-256color usr/share/terminfo/t/tmux-direct var/ipfire/backup/bin/backup.pl var/ipfire/backup/include +var/ipfire/general-functions.pl var/ipfire/ipblocklist-functions.pl var/ipfire/menu.d/50-firewall.menu var/ipfire/menu.d/70-log.menu