Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Security issue in DHCP table

    Scheduled Pinned Locked Moved
    DHCP and DNS
    1
    1
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chx86
      last edited by

      Hello all.

      I have reported this issue before using the ticket system, however nothing has happened since.

      When viewing the DHCP leases in the administrator CP, the hostnames of the computers are not escaped which can result in XSS and execution of javascript. You could use it to send a POST request when logged in as the administrator and change the login to something else, compromising the server.

      This can be solved by using htmlentities() on the hostnames.

      Please note that Windows does not allow characters like > and < in the hostname, however other clients like dhclient on Linux does.

      I suspect the same problem also affects the captive portal when using RADUIS authentication and having HTML/Javascript in the username, however I have not been able to test it.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post