[Pkg-netmeasure-discuss] Bug#1031542: dbeacon: XSS Vulnerability in matrix.pl

Raoul Gunnar Borenius borenius at dfn.de
Sat Feb 18 08:49:23 GMT 2023 

Package: dbeacon
Version: 0.4.0-2+b2
Severity: important
Tags: patch upstream

Dear Maintainer,

the included CGI script /usr/share/dbeacon/matrix.pl is vulnerable to
XSS attacks as it does not do proper input validation.

A patch that mitigates the problem is included.

Cheers,

 Raoul

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-5-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dbeacon depends on:
ii  adduser                    3.131
ii  libc6                      2.36-8
ii  libgcc-s1                  12.2.0-14
ii  libstdc++6                 12.2.0-14
ii  lsb-base                   11.6
ii  sysvinit-utils [lsb-base]  3.06-2

Versions of packages dbeacon recommends:
ii  libxml-parser-perl  2.46-4
ii  perl                5.36.0-7

Versions of packages dbeacon suggests:
pn  librrds-perl  <none>

-- no debconf information
-------------- next part --------------
--- /usr/share/dbeacon/matrix.pl	2016-06-20 13:46:15.000000000 +0200
+++ matrix.pl	2023-02-18 09:20:28.861711524 +0100
@@ -10,7 +10,7 @@
 #
 #   Perl code improvement suggestions by Marco d'Itri
 
-use CGI;
+use CGI; use HTML::Entities;
 use XML::Parser;
 use POSIX qw(strftime);
 use Time::HiRes qw(gettimeofday tv_interval);
@@ -97,13 +97,13 @@
 my $page = new CGI;
 my $url = $page->script_name().'?';
 
-my $dst = $page->param('dst');
-my $src = $page->param('src');
-my $type = $page->param('type');
-my $age = $page->param('age');
-my $at = $page->param('at');
+my $dst = $page->param('dst');		$dst = HTML::Entities::encode($dst);
+my $src = $page->param('src');		$src = HTML::Entities::encode($src);
+my $type = $page->param('type');	$type = HTML::Entities::encode($type);
+my $age = $page->param('age');		$age = HTML::Entities::encode($age);
+my $at = $page->param('at');		$at = HTML::Entities::encode($at);
 
-my $beacon_id = $page->param('id');
+my $beacon_id = $page->param('id');	$beacon_id = HTML::Entities::encode($beacon_id);
 if ($beacon_id) {
     -d $beacon_config_base && -f "$beacon_config_base/$beacon_id/matrix.conf" 
 	&& do "$beacon_config_base/$beacon_id/matrix.conf";
@@ -171,11 +171,11 @@
 sub build_vertex_one {
 	my ($dstaddr, $srcaddr, $index, $path) = @_;
 
-	my ($start, $step, $names, $data);
+	my ($start, $step, $names, $data); my $at = $page->param('at'); $at = HTML::Entities::encode($at);
 
 	($start, $step, $names, $data) =
 		$RRDs::{fetch}($path, 'AVERAGE', '-s',
-		$page->param('at'), '-e', $page->param('at'));
+		$at, '-e', $at);
 
 	return [-1, -1] if $RRDs::{error};
 
@@ -497,7 +497,7 @@
 
 		printx '<select name="offset" style="margin-left: 0.5em; margin-right: 0.5em">'."\n";
 
-		my $ammount = $page->param('ammount');
+		my $ammount = $page->param('ammount'); $ammount = HTML::Entities::encode($ammount);
 		$ammount ||= 60;
 
 		my @ammounts = ([60, '60 s'], [600, '10m'], [3600, '1h'], [14400, '4h'], [43200, '12h'], [86400, '24h'], [604800, '7d'], [2592000, '30d']);
@@ -718,11 +718,11 @@
 sub render_matrix {
 	my ($start, $step) = @_;
 
-	my $attname = $page->param('att');
-	my $atthideinfo = $page->param('hideinfo');
-	my $attwhat = $page->param('what');
-	my $full_matrix = $page->param('full');
-	my $show_lastupdate = $page->param('showlastupdate');
+	my $attname = $page->param('att');			$attname = HTML::Entities::encode($attname);
+	my $atthideinfo = $page->param('hideinfo');		$atthideinfo = HTML::Entities::encode($atthideinfo);
+	my $attwhat = $page->param('what');			$attwhat = HTML::Entities::encode($attwhat);
+	my $full_matrix = $page->param('full');			$full_matrix = HTML::Entities::encode($full_matrix);
+	my $show_lastupdate = $page->param('showlastupdate');	$show_lastupdate = HTML::Entities::encode($show_lastupdate);
 
 	$attname ||= 'ttl';
 	$atthideinfo ||= $default_hideinfo;
@@ -733,7 +733,7 @@
 
 	$what_td = 'colspan="2"' if $attwhat eq 'both';
 
-	my $attat = $page->param('at');
+	my $attat = $page->param('at'); $attat = HTML::Entities::encode($attat);
 	$attat = 0 if not defined $attat or $attat eq '';
 
 	my $addinfo = '';

More information about the Pkg-netmeasure-discuss mailing list