CVE-2025-34305
📋 TL;DR
IPFire versions before 2.29 Core Update 198 contain stored XSS vulnerabilities where authenticated users can inject malicious scripts into various web interface fields. These scripts execute when other users view the affected entries, potentially compromising their sessions or performing unauthorized actions. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform administrative actions as other users, redirect users to malicious sites, or deploy malware through the web interface.
Likely Case
Authenticated users with malicious intent could perform session hijacking against other users, modify system configurations, or exfiltrate sensitive data from the web interface.
If Mitigated
With proper input validation and output encoding, the risk is eliminated. Network segmentation and least privilege access reduce potential impact.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of vulnerable endpoints. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 Core Update 198
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface as admin. 2. Navigate to System > Updates. 3. Click 'Check for updates'. 4. Apply Core Update 198. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable CGI endpoints
allTemporarily disable access to affected CGI scripts until patching
chmod 000 /var/ipfire/cgi-bin/wakeonlan.cgi
chmod 000 /var/ipfire/cgi-bin/dhcp.cgi
chmod 000 /var/ipfire/cgi-bin/connscheduler.cgi
chmod 000 /var/ipfire/cgi-bin/dnsforward.cgi
chmod 000 /var/ipfire/cgi-bin/vpnmain.cgi
chmod 000 /var/ipfire/cgi-bin/dns.cgi
🧯 If You Can't Patch
- Restrict web interface access to trusted IP addresses only using firewall rules
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface (System > About) or command line: cat /var/ipfire/general-functions.pl | grep '\$VERSION'Check Version:
cat /var/ipfire/general-functions.pl | grep '\$VERSION'Verify Fix Applied:
Verify version is 2.29 Core Update 198 or later. Test vulnerable endpoints with safe XSS payloads to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to vulnerable CGI endpoints with script tags
- Multiple failed authentication attempts followed by successful login and POST to vulnerable endpoints
Network Indicators:
- HTTP POST requests to /cgi-bin/*.cgi containing script tags or JavaScript in parameters
SIEM Query:
source="ipfire_web.log" AND (uri="/cgi-bin/wakeonlan.cgi" OR uri="/cgi-bin/dhcp.cgi" OR uri="/cgi-bin/connscheduler.cgi" OR uri="/cgi-bin/dnsforward.cgi" OR uri="/cgi-bin/vpnmain.cgi" OR uri="/cgi-bin/dns.cgi") AND (method="POST") AND (body CONTAINS "<script>" OR body CONTAINS "javascript:")