webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

ipinfo.cgi: Remove XSS vulnerability

Browse Source 
References: #11087

Reported-by: Yann Cam <yann.cam@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Michael Tremer
2016-04-04 14:22:56 +01:00
parent c954b6acdc
commit f367d5b388
1 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
html/cgi-bin/ipinfo.cgi
View File

@@ -19,6 +19,7 @@
# #
###############################################################################
use CGI;
use IO::Socket;
use strict;
@@ -34,18 +35,14 @@ my %cgiparams=();
&Header::showhttpheaders();
&Header::getcgihash(\%cgiparams);
$ENV{'QUERY_STRING'} =~s/&//g;
my @addrs = split(/ip=/,$ENV{'QUERY_STRING'});
&Header::openpage($Lang::tr{'ip info'}, 1, '');
&Header::openbigbox('100%', 'left');
my @lines=();
my $extraquery='';
foreach my $addr (@addrs) {
next if $addr eq "";
my $addr = CGI::param("ip") || "";
if (&General::validip($addr)) {
$extraquery='';
@lines=();
my $whoisname = "whois.arin.net";
@@ -91,6 +88,14 @@ next if $addr eq "";
}
print "</pre>\n";
&Header::closebox();
} else {
&Header::openbox('100%', 'left', $Lang::tr{'invalid ip'});
print <<EOF;
<p style="text-align: center;">
$Lang::tr{'invalid ip'}
</p>
EOF
&Header::closebox();
}
print <<END