An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://192.168.0.241:444/cgi-bin/routing.cgi) Routing Table Entries
via the "Remark" text box or "remark" parameter. This is due to a
lack of user input validation in "Remark" text box or "remark"
parameter. It allows an authenticated WebGUI user with privileges
for the affected page to execute Stored Cross-site Scripting in
the Routing Table Entries (/cgi-bin/routing.cgi), which helps
attacker to redirect the victim to a attacker's phishing page.
The Stored XSS get prompted on the victims page whenever victim
tries to access the Routing Table Entries configuraiton page.
An attacker get access to the victim's session by performing
the CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.
This attack can possibly spoof the victim's informations.
Fixes: #12072
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch also requires a reboot after installing this update
so that the changed ruleset is being applied.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This creates some overhead that we do not need and rules need to
be adjusted to match any direction they are supposed to match.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The script relied on the configuration being in lowercase.
If people manually editied their configuration file they might
not have paid attention to this and therefore this script now
also accepts uppercase MAC addresses.
Fixes: #12047
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This was still using the old version of OpenSSL.
Instead of linking the module (which we should have found earlier)
the module uses dlopen :(
Fixes: #12044
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This causes some i2c drivers to load and tons of error messages
being created in syslog. So we skip searching for any sensors
that do not exist.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This field is required and therefore we need to initialize it
for old connections. Right now, the CGI throws an error message
when editing an existing connection without the MTU being filled
in.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When there is a large number of leases, writing the file may
take a long time. When unbound is re-reading its configuration
in that time, the file might syntactically incorrect.
This change writes the file first and then moves it
to the right place in one transaction.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
