CVE-2025-34306
📋 TL;DR
This stored XSS vulnerability in IPFire allows authenticated attackers to inject malicious JavaScript through the pienumber parameter when updating firewall IP search defaults. The injected code executes when other users view the affected web interface pages. All IPFire installations prior to version 2.29 (Core Update 198) are affected.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal admin session cookies, perform actions as other users, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Attackers with authenticated access could perform session hijacking, deface web interfaces, or steal sensitive information from other users.
If Mitigated
With proper input validation and output encoding, the vulnerability is eliminated; authenticated users cannot inject malicious scripts.
🎯 Exploit Status
Exploitation requires authenticated access; stored XSS means payload persists until cleaned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 (Core Update 198)
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface as admin. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Input Validation via Web Application Firewall
allDeploy a WAF to block XSS payloads in POST requests to /cgi-bin/logs.cgi/firewalllogip.dat
Restrict Access to Web Interface
ipfireLimit web interface access to trusted IP addresses only using firewall rules
iptables -A INPUT -p tcp --dport 444 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 444 -j DROP
🧯 If You Can't Patch
- Restrict user accounts to only trusted personnel and implement strong authentication
- Monitor logs for suspicious POST requests to /cgi-bin/logs.cgi/firewalllogip.dat with unusual parameters
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface (System > About) or command line: cat /etc/ipfire-releaseCheck Version:
cat /etc/ipfire-releaseVerify Fix Applied:
Verify version is 2.29 or later; test by attempting to inject basic XSS payload in pienumber parameter and confirming it's sanitized📡 Detection & Monitoring
Log Indicators:
- POST requests to /cgi-bin/logs.cgi/firewalllogip.dat with script tags or JavaScript in parameters
- Unusual user activity following firewall log page views
Network Indicators:
- HTTP traffic containing XSS payloads in POST data to the vulnerable endpoint
SIEM Query:
source="ipfire_web_logs" AND uri="/cgi-bin/logs.cgi/firewalllogip.dat" AND (method="POST") AND (request_body LIKE "%<script>%" OR request_body LIKE "%javascript:%")