[Pkg-netmeasure-discuss] Bug#1031542: dbeacon: XSS Vulnerability in matrix.pl
Raoul Gunnar Borenius
borenius at dfn.de
Sat Feb 18 08:49:23 GMT 2023
Package: dbeacon
Version: 0.4.0-2+b2
Severity: important
Tags: patch upstream
Dear Maintainer,
the included CGI script /usr/share/dbeacon/matrix.pl is vulnerable to
XSS attacks as it does not do proper input validation.
A patch that mitigates the problem is included.
Cheers,
Raoul
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-5-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dbeacon depends on:
ii adduser 3.131
ii libc6 2.36-8
ii libgcc-s1 12.2.0-14
ii libstdc++6 12.2.0-14
ii lsb-base 11.6
ii sysvinit-utils [lsb-base] 3.06-2
Versions of packages dbeacon recommends:
ii libxml-parser-perl 2.46-4
ii perl 5.36.0-7
Versions of packages dbeacon suggests:
pn librrds-perl <none>
-- no debconf information
-------------- next part --------------
--- /usr/share/dbeacon/matrix.pl 2016-06-20 13:46:15.000000000 +0200
+++ matrix.pl 2023-02-18 09:20:28.861711524 +0100
@@ -10,7 +10,7 @@
#
# Perl code improvement suggestions by Marco d'Itri
-use CGI;
+use CGI; use HTML::Entities;
use XML::Parser;
use POSIX qw(strftime);
use Time::HiRes qw(gettimeofday tv_interval);
@@ -97,13 +97,13 @@
my $page = new CGI;
my $url = $page->script_name().'?';
-my $dst = $page->param('dst');
-my $src = $page->param('src');
-my $type = $page->param('type');
-my $age = $page->param('age');
-my $at = $page->param('at');
+my $dst = $page->param('dst'); $dst = HTML::Entities::encode($dst);
+my $src = $page->param('src'); $src = HTML::Entities::encode($src);
+my $type = $page->param('type'); $type = HTML::Entities::encode($type);
+my $age = $page->param('age'); $age = HTML::Entities::encode($age);
+my $at = $page->param('at'); $at = HTML::Entities::encode($at);
-my $beacon_id = $page->param('id');
+my $beacon_id = $page->param('id'); $beacon_id = HTML::Entities::encode($beacon_id);
if ($beacon_id) {
-d $beacon_config_base && -f "$beacon_config_base/$beacon_id/matrix.conf"
&& do "$beacon_config_base/$beacon_id/matrix.conf";
@@ -171,11 +171,11 @@
sub build_vertex_one {
my ($dstaddr, $srcaddr, $index, $path) = @_;
- my ($start, $step, $names, $data);
+ my ($start, $step, $names, $data); my $at = $page->param('at'); $at = HTML::Entities::encode($at);
($start, $step, $names, $data) =
$RRDs::{fetch}($path, 'AVERAGE', '-s',
- $page->param('at'), '-e', $page->param('at'));
+ $at, '-e', $at);
return [-1, -1] if $RRDs::{error};
@@ -497,7 +497,7 @@
printx '<select name="offset" style="margin-left: 0.5em; margin-right: 0.5em">'."\n";
- my $ammount = $page->param('ammount');
+ my $ammount = $page->param('ammount'); $ammount = HTML::Entities::encode($ammount);
$ammount ||= 60;
my @ammounts = ([60, '60 s'], [600, '10m'], [3600, '1h'], [14400, '4h'], [43200, '12h'], [86400, '24h'], [604800, '7d'], [2592000, '30d']);
@@ -718,11 +718,11 @@
sub render_matrix {
my ($start, $step) = @_;
- my $attname = $page->param('att');
- my $atthideinfo = $page->param('hideinfo');
- my $attwhat = $page->param('what');
- my $full_matrix = $page->param('full');
- my $show_lastupdate = $page->param('showlastupdate');
+ my $attname = $page->param('att'); $attname = HTML::Entities::encode($attname);
+ my $atthideinfo = $page->param('hideinfo'); $atthideinfo = HTML::Entities::encode($atthideinfo);
+ my $attwhat = $page->param('what'); $attwhat = HTML::Entities::encode($attwhat);
+ my $full_matrix = $page->param('full'); $full_matrix = HTML::Entities::encode($full_matrix);
+ my $show_lastupdate = $page->param('showlastupdate'); $show_lastupdate = HTML::Entities::encode($show_lastupdate);
$attname ||= 'ttl';
$atthideinfo ||= $default_hideinfo;
@@ -733,7 +733,7 @@
$what_td = 'colspan="2"' if $attwhat eq 'both';
- my $attat = $page->param('at');
+ my $attat = $page->param('at'); $attat = HTML::Entities::encode($attat);
$attat = 0 if not defined $attat or $attat eq '';
my $addinfo = '';
More information about the Pkg-netmeasure-discuss
mailing list