From 763efaf672a27297e274fbe526a3c49ea96904ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Thu, 1 Sep 2022 20:30:18 +0000 Subject: [PATCH 1/5] configroot: Create "settings" and "modify" files for ipblocklist MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The third version of this patch conducts the necessary changes in configroot. Previously, they took place in ipblocklist itself, which would have caused user settings to be overwritten, should ipblocklist be shipped in future Core Updates. Fixes: #12917 Cc: Stefan Schantl Signed-off-by: Peter Müller Acked-by: Stefan Schantl --- config/rootfiles/common/configroot | 1 + config/rootfiles/core/170/update.sh | 4 ++++ lfs/configroot | 6 +++--- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 088e87f5b..4d631cea5 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -83,6 +83,7 @@ var/ipfire/location-functions.pl var/ipfire/ids-functions.pl var/ipfire/ipblocklist-functions.pl var/ipfire/ipblocklist +#var/ipfire/ipblocklist/modified #var/ipfire/ipblocklist/settings var/ipfire/isdn #var/ipfire/isdn/settings diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index b6b66f3f1..9d16f4a32 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -164,6 +164,10 @@ ldconfig mkdir -pv /var/lib/ipblocklist chown nobody:nobody /var/lib/ipblocklist +# Create necessary files for IPBlocklist and set their ownership accordingly (#12917) +touch /var/ipfire/ipblocklist/{settings,modified} +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} + # Rebuild fcrontab from scratch /usr/bin/fcrontab -z diff --git a/lfs/configroot b/lfs/configroot index 5565bd344..31b9a9463 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team # +# Copyright (C) 2007-2022 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -65,8 +65,8 @@ $(TARGET) : captive/settings captive/agb.txt captive/clients captive/voucher_out certs/index.txt certs/index.txt.attr ddns/config ddns/settings ddns/ipcache dhcp/settings \ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dns/servers dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/locationblock firewall/input firewall/outgoing \ - fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsettings ipblocklist/settings \ - isdn/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \ + fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsettings ipblocklist/modified \ + ipblocklist/settings isdn/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ qos/tosconfig suricata/settings vpn/config vpn/settings vpn/ipsec.conf \ From cc826e8628141abce615699a8c10592233dc467c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 9 Sep 2022 13:58:15 +0000 Subject: [PATCH 2/5] setaliases: Use "secondary" flag instead of scope The scope option does not seem to work at all now, which is surprising since I tested it quite well. The secondary flag cannot be set from userspace (aparently), but it works, so I would prefer to go with this option for now. Signed-off-by: Michael Tremer --- src/misc-progs/setaliases.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/misc-progs/setaliases.c b/src/misc-progs/setaliases.c index a541a4fd2..4b18ba325 100644 --- a/src/misc-progs/setaliases.c +++ b/src/misc-progs/setaliases.c @@ -28,8 +28,6 @@ struct keyvalue *kv = NULL; FILE *file = NULL; -#define SCOPE 128 - void exithandler(void) { if (kv) freekeyvalues(kv); @@ -125,7 +123,7 @@ int main(void) alias = 0; do { snprintf(command, STRING_SIZE - 1, - "ip addr flush dev red%d scope %d 2>/dev/null", alias++, SCOPE); + "ip addr flush secondary dev red%d 2>/dev/null", alias++); } while (safe_system(command) == 0); /* Now set up the new aliases from the config file */ @@ -184,8 +182,8 @@ int main(void) if (!intf) intf = red_dev; - snprintf(command, STRING_SIZE - 1, "ip addr add %s/%s dev %s scope %d", - aliasip, red_netmask, intf, SCOPE); + snprintf(command, STRING_SIZE - 1, "ip addr add %s/%s secondary dev %s 2>/dev/null", + aliasip, red_netmask, intf); safe_system(command); alias++; From 7cb63527d96c4610171feb580c9fcd27c3af26b6 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 6 Sep 2022 13:58:22 +0200 Subject: [PATCH 3/5] mail.cgi: Validate email recipient The email recipient was not correctly validated which allowed for some stored cross-site scripting vulnerability. Fixes: #12925 - JVN#15411362 Inquiry on vulnerability found in IPFire Reported-by: Noriko Totsuka Signed-off-by: Michael Tremer --- html/cgi-bin/mail.cgi | 4 ++++ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 6 insertions(+) diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi index 4ebc6b033..34f52ae01 100644 --- a/html/cgi-bin/mail.cgi +++ b/html/cgi-bin/mail.cgi @@ -283,6 +283,10 @@ sub checkmailsettings { $errormessage .= "$Lang::tr{'email invalid'} $Lang::tr{'email mailsender'}
"; } } + # Check for a valid recipient + if (!&General::validemail($cgiparams{'txt_recipient'})) { + $errormessage .= $Lang::tr{'email recipient invalid'} . "
"; + } return $errormessage; } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index d3b4c8687..0dbc90718 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -963,6 +963,7 @@ 'email mailrcpt' => 'E-Mail-Empfänger', 'email mailsender' => 'E-Mail-Absender', 'email mailuser' => 'Benutzername', +'email recipient invalid' => 'Ungültiger Emailempfänger', 'email server can not be empty' => 'E-Mail-Server darf nicht leer sein', 'email settings' => 'Mailversand', 'email subject' => 'IPFire Test-E-Mail', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 36f97de38..7de75ad3c 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1004,6 +1004,7 @@ 'email mailrcpt' => 'Mail Recipient', 'email mailsender' => 'Mail Sender', 'email mailuser' => 'Username', +'email recipient invalid' => 'Invalid email recipient', 'email server can not be empty' => 'E-mail server can not be empty', 'email settings' => 'Mail Service', 'email subject' => 'IPFire Test Mail', From ba4f53c56573d51be5e804f70965e82e5b271fd5 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 6 Sep 2022 14:15:54 +0200 Subject: [PATCH 4/5] proxy.cgi: Correctly validate domain lists Fixes: #12925 - JVN#15411362 Inquiry on vulnerability found in IPFire Reported-by: Noriko Totsuka Signed-off-by: Michael Tremer --- config/cfgroot/general-functions.pl | 11 +++++++++++ html/cgi-bin/proxy.cgi | 2 ++ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 4 files changed, 15 insertions(+) diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 16a05cecf..98bedb4b9 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -756,6 +756,17 @@ sub validdomainname return 1; } +sub validwildcarddomainname($) { + my $domainname = shift; + + # Ignore any leading dots + if ($domainname =~ m/^\*\.(.*)/) { + $domainname = $1; + } + + return &validdomainname($domainname); +} + sub validfqdn { # Checks a fully qualified domain name against RFC1035 and RFC2181 diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 0111a240b..577d37b93 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -2506,6 +2506,7 @@ sub check_acls if ($_) { if (/^\./) { $_ = '*'.$_; } + unless (&General::validwildcarddomainname($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid url'} . ": " . &Header::escape($_); } $proxysettings{'DST_NOCACHE'} .= $_."\n"; } } @@ -2604,6 +2605,7 @@ sub check_acls if ($_) { if (/^\./) { $_ = '*'.$_; } + unless (&General::validwildcarddomainname($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid url'} . ": " . &Header::escape($_); } $proxysettings{'DST_NOPROXY_URL'} .= $_."\n"; } } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 0dbc90718..cf31b9171 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -301,6 +301,7 @@ 'advproxy errmsg invalid proxy port' => 'Ungültiger Proxyport', 'advproxy errmsg invalid upstream proxy' => 'Ungültige IP/Hostname für vorgelagerten Proxy', 'advproxy errmsg invalid upstream proxy username or password setting' => 'Ungültiger Benutzername oder ungültiges Kennwort für vorgelagerten Proxy', +'advproxy errmsg invalid url' => 'Ungültige URL', 'advproxy errmsg invalid user' => 'Benutzername existiert nicht', 'advproxy errmsg ldap base dn' => 'LDAP Base DN erforderlich', 'advproxy errmsg ldap bind dn' => 'LDAP Bind DN Benutzername und Passwort erforderlich', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 7de75ad3c..11ba10f8f 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -298,6 +298,7 @@ 'advproxy errmsg invalid proxy port' => 'Invalid proxy port', 'advproxy errmsg invalid upstream proxy' => 'Invalid upstream proxy IP/hostname', 'advproxy errmsg invalid upstream proxy username or password setting' => 'Invalid upstream proxy username or password setting', +'advproxy errmsg invalid url' => 'Invalid URL', 'advproxy errmsg invalid user' => 'Username does not exist', 'advproxy errmsg ldap base dn' => 'LDAP base DN required', 'advproxy errmsg ldap bind dn' => 'LDAP bind DN username and password required', From a981a365a078f5840b32a76c4ad9aa75111a60f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Sun, 11 Sep 2022 08:13:27 +0000 Subject: [PATCH 5/5] Core Update 170: Ship files related to #12925 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Peter Müller --- config/rootfiles/core/170/filelists/files | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/rootfiles/core/170/filelists/files b/config/rootfiles/core/170/filelists/files index df8020847..d31e49ad3 100644 --- a/config/rootfiles/core/170/filelists/files +++ b/config/rootfiles/core/170/filelists/files @@ -4,7 +4,9 @@ opt/pakfire/pakfire srv/web/ipfire/cgi-bin/aliases.cgi srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/ipblocklist.cgi +srv/web/ipfire/cgi-bin/mail.cgi srv/web/ipfire/cgi-bin/pakfire.cgi +srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/services.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi srv/web/ipfire/cgi-bin/vulnerabilities.cgi @@ -22,6 +24,7 @@ usr/share/terminfo/t/tmux-256color usr/share/terminfo/t/tmux-direct var/ipfire/backup/bin/backup.pl var/ipfire/backup/include +var/ipfire/general-functions.pl var/ipfire/ipblocklist-functions.pl var/ipfire/menu.d/50-firewall.menu var/ipfire/menu.d/70-log.menu