[PATCH 16/16] proxy.cgi: Further fix for bug 13893

Sat, 27 Sep 2025 04:43:43 -0700 

- Previous patch for proxy.cgi was related to the mitigation provided by the 
bug reporter
   for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned 
in the
   description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
   ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from 
dns.cgi
   which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those 
in the
   bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
   ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD

Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <[email protected]>
---
 html/cgi-bin/proxy.cgi | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index 1ade39381..3fbd78d2c 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3977,8 +3977,16 @@ END
                print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
        }
 
-       if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE 
"cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; }
-       if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE 
"cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; }
+       if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq ''))
+               {
+                       $proxysettings{'ADMIN_MAIL_ADDRESS'} = 
&Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'});
+                       print FILE "cache_mgr 
$proxysettings{'ADMIN_MAIL_ADDRESS'}\n";
+               }
+       if (!($proxysettings{'ADMIN_PASSWORD'} eq ''))
+               {
+                       $proxysettings{'ADMIN_PASSWORD'} = 
&Header::escape($proxysettings{'ADMIN_PASSWORD'});
+                       print FILE "cachemgr_passwd 
$proxysettings{'ADMIN_PASSWORD'} all\n";
+               }
        print FILE "\n";
 
        print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n";
@@ -3994,8 +4002,13 @@ END
                # login=*:password      ($proxysettings{'FORWARD_USERNAME'} eq 
'on')
                if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS'))
                {
+                       $proxysettings{'UPSTREAM_USER'} = 
&Header::escape($proxysettings{'UPSTREAM_USER'});
                        print FILE " login=$proxysettings{'UPSTREAM_USER'}";
-                       if ($proxy1 eq 'YES') { print FILE 
":$proxysettings{'UPSTREAM_PASSWORD'}"; }
+                       if ($proxy1 eq 'YES')
+                       {
+                               $proxysettings{'UPSTREAM_PASSWORD'} = 
&Header::escape($proxysettings{'UPSTREAM_PASSWORD'});
+                               print FILE 
":$proxysettings{'UPSTREAM_PASSWORD'}";
+                       }
                }
                elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE 
" login=*:password"; }
 
-- 
2.51.0

Reply via email to