Control: reopen -1 Hi,
squeeze is vulnerable, as seen on the Navigator Graph page by changing the displaymode in the URL. It gets echoed back by this: > return "<div>ERROR: unknown displaymode $mode</div>" I'm not convinced the 'blacklist characters' approach was a great way to handle it, but at least in wheezy/sid it seems no longer possible to inject HTML that way. Even in smokeping-2.6.9 though the "start" and "end" time fields are not filtered. For example, enter this in one of the text boxes as a start or end time: now" oops " and the generated HTML contains: <IMG id="zoom" BORDER="0" width="697" height="315" SRC="/smokeping/images/__navcache/136343653521739_now" oops "_1363423440.png"> Fortunately though, it doesn't seem possible to use an equals sign in these parameters, and so I don't see a way to perform XSS. It is a little scary that these strings are also used to create/unlink files: /var/cache/smokeping/images/__navcache# ls -alt | head -rw-r--r-- 1 www-data root 32316 Mar 16 12:22 136343653521739_now" oops "_1363423440.png And so for example, a start/end time of: now"/ triggers an error; the quotes in the error message are not properly 'quoted', but fortunately HTML tags are being stripped out somehow: > ERROR: Could not save png to > '/var/cache/smokeping/images/__navcache/136343678121739_now"/_1363423440.png' > /var/cache/smokeping/images/__navcache/136343678121739_now"/_1363423440.png Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
