BSDSec

deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-17_07.packages

12 October, 2017 by security@pfsense.org | pfsense 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-17_07.packages                                   Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in Status Monitoring base package

Category:       pfSense Base Packages
Module:         Status_Monitoring
Announced:      2017-09-19
Credits:        Mohammed Latifi - Servonet S.n.c - www.servonet.it
Affects:        Status_Monitoring base package < 1.6.2 and 1.7.x < 1.7.2
Corrected:      2017-09-19 14:46:00 UTC
                   FreeBSD-ports/devel, v1.7.2 for pfSense 2.4.1 snapshots
                2017-09-19 14:46:22 UTC
                   FreeBSD-ports/RELENG_2_4_0, v1.7.2 for pfSense 2.4-RELEASE
                2017-09-19 14:48:10 UTC
                   FreeBSD-ports/RELENG_2_3, v1.6.2 for pfSense 2.3.5 snapshots
                2017-09-19 14:48:25 UTC
                   FreeBSD-ports/RELENG_2_3_4, v1.6.2 for pfSense 2.3.4_x

0.   Revision History

v1.0  2017-09-19 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in the 'view' parameter of
status_monitoring.php which is a part of the Status_Monitoring package included
in the base installation of pfSense software.

If a malicious client submits a 'view' parameter containing HTML, it is
displayed to the user viewing status_monitoring.php without encoding.

III. Impact

Due to the lack of proper encoding on the affected variable susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

IV.  Workaround

No workaround.

V.   Solution

Upgrade to pfSense software version 2.4-RELEASE or another corrected version.
This upgrade may be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

Rather than a full upgrade, the Status_Monitoring package may be upgraded on
its own without performing a full upgrade. Run the following commands at a
shell prompt as root (directly or using sudo):

  pkg update -f
  pkg upgrade -y pfSense-Status_Monitoring

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
FreeBSD-ports/devel                f044c1e4e3f647028c57ae1a572dc6377e555ff3
FreeBSD-ports/RELENG_2_4_0         c919d10d1194da689a18905801bfe86ceef82230
FreeBSD-ports/RELENG_2_3           0db1ce65a93b063c268aaed477252197d566da03
FreeBSD-ports/RELENG_2_3_4         c3c919d640ff0a7319b8f080184bb90dabc7807e
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_07.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZwWuEAAoJEBO5h/2SFPja9ZQQAM1zKzHytcyAlZjDeYbsa/Ck
VUZwskB96ju/bRbam+Qm9YmKxdBSvPwMt2C+IMv+kWAanPqhYHOdCkG+UdbWo5bC
ycenSPWbl+PPpwkIgVyLsWV879Mhr2VJRsd9MtTsofWCU685/t/QVb9beuW6poqv
36pogj0zRaRHcd+PZvUbGjem6crJdQ68VVcWMB+3mQisjxzSPqwKkfqeeFsNuPdW
LhSDNW4jk4dxzMOrCLXHGsiT7CAXJ0bKmlDZJHxNIKUnwhJbC3ompvWfIu/AXVam
cGiIhXwub5dQwOyITokOdEmzjiZfz2mGrrIhlEvMgiI/QR0al6htiKbqf6lAxbNP
+BYq1eMFmvRfKCE/6cPU/rnBjYLBh9xZUnFwbHhGcf62oWq0KBHF6PGiTK9WCFTP
nSdy6zKWVnJAToO1zcEphFTZeDM9HYFJP+peuALBLvQxs6IqGHMuAak9/0ZyWL5O
RhMneuO+WScd4FEEzbPNjOvBz4BcROOWiwjt2Y1dXsbfBKGsLSRlBuR8pkrweWgs
VLDIcio07MgRimeNTEjusjS09buYsYmmqW1JXcqeLgWJ/GcO0v0i/2pQNiuNYadR
nBaD2NoKB9CfdTRQJr3gwi+wIEU8KqRWbCJIb1y1lq+sKeBIjKVZ/SweWotYTmVM
XmCHfhJGdjj5DlexA9vL
=zIWP
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce