Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-4587

xss in asterisk phonebook via import csv file.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Fixed
    • Affects Version/s: 2.8
    • Fix Version/s: None
    • Component/s: Phonebook
    • Labels:

      Description

      Morning, if you import a contact from within a csv file like this:

      "/><script>alert(document.cookie);</script>";123123123;12313
      FATAL ERROR

      then reload ... you will see your cookie!

      I don't know how serious this actually is and I couldn't find a contact email ... So I left this here ...
      I tested this against the asterisk phonebook found in trixbox ce (the latest stable release). I haven't had a chance to test this against the stable version of freepbx.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                d-b d-b
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.