Reviewed-by: Bernhard Bitsch <[email protected]>
Am 25.09.2025 um 13:12 schrieb Adolf Belka:
Fixes: bug 13884 - ddns.cgi LOGIN PASSWORD SERVICE Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <[email protected]>
---
html/cgi-bin/ddns.cgi | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi
index 34475b75c..60565da3f 100644
--- a/html/cgi-bin/ddns.cgi
+++ b/html/cgi-bin/ddns.cgi
@@ -2,7 +2,7 @@
###############################################################################
#
#
# IPFire.org - A linux based firewall
#
-# Copyright (C) 2007-2014 IPFire Team <[email protected]> #
+# Copyright (C) 2007-2025 IPFire Team <[email protected]> #
#
#
# This program is free software: you can redistribute it and/or modify
#
# it under the terms of the GNU General Public License as published by
#
@@ -226,6 +226,9 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) ||
($settings{'ACTION'} eq $Lang::
flock FILE, 2;
# Add account data to the file.
+ $settings{'SERVICE'} =
&Header::escape(($settings{'SERVICE'});
+ $settings{'LOGIN'} =
&Header::escape(($settings{'LOGIN'});
+ $settings{'PASSWORD'} =
&Header::escape(($settings{'PASSWORD'});
print FILE
"$settings{'SERVICE'},$hostname,$domain,$settings{'PROXY'},$settings{'WILDCARDS'},$settings{'LOGIN'},$settings{'PASSWORD'},$settings{'ENABLED'}\n";
# Close file after writing.
