[FREEPBX-20557] XSS in Superfecta.class.php - Sangoma Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 13, 14, 15
Fix Version/s: 13, 14, 15
Component/s: CID Superfecta
Labels:
None

Sprint:
Sprint 17!
ToDo:

Distro Version:
SNG7-PBX-64bit-1904-2
Distro:
FreePBX Distro
Module Fix Version:

Description

html\admin\modules\superfecta\Superfecta.class.php

https://github.com/FreePBX/superfecta/blob/release/14.0/Superfecta.class.php

Unsanitized $_REQUEST['tel'] and $_REQUEST['level'] reflected in HTML leads to XSS (as you can see in screenshot attached on latest FreePBX ISO, ajax request is manipulated with Burp)

l.309+:
echo ""._('Debug is on and set at level:')." ".$_REQUEST['level']."";
echo ""._('The Original Number:')." ".$_REQUEST['tel']."";

Gliffy Diagrams

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

2019-09-14_11h03_31.png
119 kB
14/Sep/19 9:18 AM
2019-09-14_11h05_38.png
126 kB
14/Sep/19 9:18 AM

Activity

People

Assignee:

Franck Danard [X] (Inactive)

Reporter:

respect

Votes:

0 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

14/Sep/19 9:19 AM

Updated:

12/Nov/21 2:25 AM

Resolved:

03/Dec/19 10:10 AM

NextupJiraPlusStatus

Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.