Security issue in DHCP table



  • Hello all.

    I have reported this issue before using the ticket system, however nothing has happened since.

    When viewing the DHCP leases in the administrator CP, the hostnames of the computers are not escaped which can result in XSS and execution of javascript. You could use it to send a POST request when logged in as the administrator and change the login to something else, compromising the server.

    This can be solved by using htmlentities() on the hostnames.

    Please note that Windows does not allow characters like > and < in the hostname, however other clients like dhclient on Linux does.

    I suspect the same problem also affects the captive portal when using RADUIS authentication and having HTML/Javascript in the username, however I have not been able to test it.


Log in to reply