CVE-2025-34315
📋 TL;DR
This stored XSS vulnerability in IPFire allows authenticated attackers to inject malicious JavaScript through the remote syslog configuration. When other users view the affected configuration page, the injected code executes in their browser context. Only IPFire installations before version 2.29 (Core Update 198) are affected.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as other users, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Attackers with authenticated access could steal session tokens or credentials from administrators viewing the configuration page, leading to privilege escalation.
If Mitigated
With proper access controls limiting who can modify syslog settings, impact is reduced to only authorized users who might be targeted.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the web interface. The vulnerability is stored/persistent, making it more dangerous than reflected XSS.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 (Core Update 198)
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface as admin. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Verify version shows 2.29.
🔧 Temporary Workarounds
Restrict access to syslog configuration
allLimit which users have permissions to modify remote syslog settings in the web interface.
Input validation at proxy/WAF
allConfigure web application firewall or reverse proxy to block XSS payloads in POST requests to /cgi-bin/logs.cgi/config.dat
🧯 If You Can't Patch
- Restrict web interface access to trusted networks only using firewall rules.
- Implement strict session management with short timeouts and require re-authentication for sensitive actions.
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface (System > About) or SSH command: 'cat /etc/ipfire-release'. If version is older than 2.29, system is vulnerable.Check Version:
cat /etc/ipfire-releaseVerify Fix Applied:
After updating, verify version shows 2.29. Test by attempting to inject basic XSS payload into REMOTELOG_ADDR field and confirm it's properly encoded/sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/logs.cgi/config.dat with JavaScript patterns in parameters
- Multiple failed login attempts followed by successful login and configuration changes
Network Indicators:
- HTTP POST requests containing script tags or JavaScript functions in REMOTELOG_ADDR parameter
SIEM Query:
source="ipfire_web_logs" AND (url_path="/cgi-bin/logs.cgi/config.dat" AND (param="REMOTELOG_ADDR" AND value CONTAINS "<script>" OR value CONTAINS "javascript:"))