This patch fixes the behavior in 11696 and adds IPSEC and OpenVPN n2n subnets to wpad.dat so they don't pass through the proxy.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #12084
Since the Suricata regex did not match the messages output, Suricata was not displayed in the "System Logs" section in the WUI.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is not working for quite some time now because all search
engines have moved over to HTTPS. Therefore we no longer can
manipulate the URL query string.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fix a bug that allows users to add multiple NICs to non-bridged zones.
This fix includes a new error message.
Unused zones are now invisible instead of grey.
An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://192.168.0.241:444/cgi-bin/routing.cgi) Routing Table Entries
via the "Remark" text box or "remark" parameter. This is due to a
lack of user input validation in "Remark" text box or "remark"
parameter. It allows an authenticated WebGUI user with privileges
for the affected page to execute Stored Cross-site Scripting in
the Routing Table Entries (/cgi-bin/routing.cgi), which helps
attacker to redirect the victim to a attacker's phishing page.
The Stored XSS get prompted on the victims page whenever victim
tries to access the Routing Table Entries configuraiton page.
An attacker get access to the victim's session by performing
the CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.
This attack can possibly spoof the victim's informations.
Fixes: #12072
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a bit shouty and there are various places where we do not
warn about this problem, so this patch makes it more consistent.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the
"Title of Login Page" text box or "TITLE" parameter. This is due to
a lack of user input validation in "Title of Login Page" text box
or "TITLE" parameter. It allows an authenticated WebGUI user with
privileges for the affected page to execute Stored Cross-site
Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which
helps attacker to redirect the victim to a attacker's page.
The Stored XSS get prompted on the victims page whenever victim
tries to access the Captive Portal page.
An attacker get access to the victim's session by performing the
CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.
This attack can possibly spoof the victim's informations.
Fixes: #12071
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch adds a new CGI file which allows users to edit the
VLAN configuration as well as configuring zones as bridges.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
IPFire has moved to suricata as IDS/IPS system, therefore all snort related
options has become obsolete.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The checkboxes were swapped which lead to client isolation
being enabled when the UI said disabled and vice-versa.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The checkboxes were swapped which lead to client isolation
being enabled when the UI said disabled and vice-versa.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch adds a notice with a link to the Wiki-page https://wiki.ipfire.org/configuration/network/proxy/extend/wpad to the new WebGUI-Setion to make the user aware of the fact, that WPAD will only work correctly if he makes further adjustments:
- Add DHCP-Options for WPAD via DHCP
- Add HOST-Entries to DNS and Apache-vhost or haproxy-frontend/backend or firewall-redirect for WPAD via DNS
These additional options depend on the users environment and can not be shipped by default as they might break the users setups.
Note: The translations are only done for "en" and "de" yet!
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch adds the missing Web-GUI for the WPAD-Exceptions to proxy.cgi
Note: The translations are only done for "en" and "de" yet!
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch extends the script /srv/web/ipfire/cgi-bin/proxy.cgi by additional code for reading exceptions for URL's and IP's/Subnets from two new files:
- /var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl
- /var/ipfire/proxy/advanced/acls/dst_noproxy_ip.acl
as described in: https://wiki.ipfire.org/configuration/network/proxy/extend/add_distri
These can be used to define additional URL's, IP's and Subnets that should be retrieved "DIRECT" and not via the proxy. The files have to be created by the user, as the WPAD-Feature is not enabled by default anyway. If the files are not present or their size is 0, nothing is done. I'll revise the wiki-page, after the patch is merged and the core update is released.
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In some cases, it might be useful to create an additional
host (i.e. for round robin loadbalancing) without assigning
another PTR to the IP address specified.
This patch introduces the ability to check or uncheck
PTR generation for each host individually.
Partially fixes#12030
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The CGI script only compares mm/dd and does not care about the year.
Suricata, however, logs the year as well which has to be ignored here.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This field is required and therefore we need to initialize it
for old connections. Right now, the CGI throws an error message
when editing an existing connection without the MTU being filled
in.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
hostapd supports client-isolation, but this feature could
not be configured via the WebUI so far. Since it might be
desired in public wireless networks, or even private ones,
it makes sense to provide a radio button to let the user
decide on.
Fixes#11974.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
