Skip to content

Commit

Permalink
Bugfix: Use HTTPS for ripe/arin queries.
Browse files Browse the repository at this point in the history 
Prevent reflected XSS in ripe/arin data in low probability scenario
an attacker can proxy and modify Internet RIPE/ARIN requests.
  • Loading branch information
@GaryAllan
GaryAllan committed Apr 1, 2022
1 parent 2104e44 commit 47c1049
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 4 deletions.
6 changes: 4 additions & 2 deletions app/admin/subnets/ripe-query.php
View file
Expand Up @@ -22,14 +22,14 @@
?>

<!-- header -->
<div class="pHeader"><?php print _(ucwords($res['result'])); ?></div>
<div class="pHeader"><?php print _(ucwords(escape_input($res['result']))); ?></div>

<!-- content -->
<div class="pContent">
<?php
// error ?
if ($res['result']=="error") {
$Result->show("danger", _(ucwords($res['error'])), false);
$Result->show("danger", _(ucwords(escape_input($res['error']))), false);
}
// ok, print field matching
else {
Expand All @@ -53,6 +53,8 @@
// loop
if (isset($res['data'])) {
foreach ($res['data'] as $k=>$d) {
$d = escape_input($d);

print "<tr>";
print "<td>";
print " <span class='text-muted'>$k</span>: $d";
Expand Down
4 changes: 2 additions & 2 deletions functions/classes/class.Subnets.php
View file
Expand Up @@ -3524,7 +3524,7 @@ public function resolve_ripe_arin ($subnet) {
* Queries ripe for subnet information
*
* Example:
* curl -X GET -H "Accept: application/json" "http://rest.db.ripe.net/ripe/inetnum/185.72.140.0/24"
* curl -X GET -H "Accept: application/json" "https://rest.db.ripe.net/ripe/inetnum/185.72.140.0/24"
*
* @access private
* @param mixed $subnet
Expand Down Expand Up @@ -3620,7 +3620,7 @@ private function query_arin ($subnet) {
*/
private function ripe_arin_fetch ($network, $type, $subnet) {
// set url
$url = $network=="ripe" ? "http://rest.db.ripe.net/ripe/$type/$subnet" : "http://whois.arin.net/rest/nets;q=$subnet?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2";
$url = $network=="ripe" ? "https://rest.db.ripe.net/ripe/$type/$subnet" : "https://whois.arin.net/rest/nets;q=$subnet?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2";

$result = $this->curl_fetch_url($url, ["Accept: application/json"]);

Expand Down
1 change: 1 addition & 0 deletions misc/CHANGELOG
View file
Expand Up @@ -91,6 +91,7 @@
+ XSS while uploading CVS files;
+ XSS (reflected) in 'find subnets';
+ Incorrect privilege assignments (#3506);
+ XXS (reflected) in ripe-arin-query;

Translations:
----------------------------
Expand Down

0 comments on commit 47c1049

Please sign in to comment.