0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

PacketFence Network Access Controller XSS vulnerability

Author

K053

Risk

[

Security Risk Unsored

]

0day-ID

0day-ID-10342

Category

web applications

Date add

20-12-2009

Platform

unsorted

=======================================================
PacketFence Network Access Controller XSS vulnerability
=======================================================

# Title : Injection Flaw in PacketFence Network Access Controller
# Date : 20-12-2009
# Author : K053
# Tested on : Private Networks
# Download : http://www.packetfence.org/download/releases.html
______________________________________________________________________________________________
Note :
------
PacketFence is a fully supported, Free and Open Source network access control (NAC) system.
PacketFence is actively maintained and has been deployed in numerous large-scale institutions
over the past years. It can be used to effectively secure networks - from small to very large
heterogeneous networks.
______________________________________________________________________________________________
Bug [ Login.php ] :
-------------------
function check_input($input){
  if(preg_match("/^[\@a-zA-Z0-9_\:\,\(\)]/", $input) && strlen($input) <= 15){
    return true;
  }
  else{
    print "Invalid parameter: $input<br>";
    return false;
  }
}
 
//TODO are we being too difficult on what we accept as a password? ie: pass starting with ; is invalid
function check_sensitive_input($input){
  if(preg_match("/^[\@a-zA-Z0-9_\:\,\(\)]/", $input) && strlen($input) <= 15){
    return true;
  }
  else{
    print "Invalid sensitive parameter<br>";
    return false;
  }
}
______________________________________________________________________________________________
Poc :
-----
The Function fail on input validation on passed data, application is vulnerable to injection flaw like
Xss , Html Code injection ... :
 
Attacker can perform attack via post method : manipulate passed data or just enter something like
<script>alert(0)</script> in username filed .
______________________________________________________________________________________________



#  0day.today [2024-06-23]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

PacketFence Network Access Controller XSS vulnerability

Report Error

Report Error