deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-18_02.webgui

Hash: SHA256

pfSense-SA-18_02.webgui                                     Security Advisory

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2018-01-29
Credits:        Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc.
Affects:        pfSense software version 2.3.x <= 2.3.5-p1, 2.4.x <= 2.4.2-p1
Corrected:      2017-01-29 17:24:25 UTC (pfSense/master, pfSense 2.4.3)
                2017-01-29 17:24:25 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x)
                2017-01-29 17:24:25 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2017-01-29 17:24:25 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x)

0.   Revision History

v1.0  2018-01-29 Initial SA draft

I.   Background

pfSenseĀ® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in
diag_system_activity.php, a part of the pfSense software WebGUI, on version
2.3.5-p1 and earlier (2.3.x branch) and on version 2.4.2-p1 and earlier (2.4.x

On diag_system_activity.php, the output of the "top" command was printed to the
user without encoding, which could be used as an XSS vector.

III. Impact

Due to the lack of proper encoding on the affected output susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

Exploiting this requires that the attacker already have sufficient access to the
firewall to run arbitrary processes at the command prompt (console or ssh) or
via diag_command.php, which makes this attack impractical, but the possibility
remains that such a process could be triggered by other means.

IV.  Workaround

No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users of pfSense 2.4.x can upgrade to version 2.4.3 or later. This upgrade may
be performed in the web interface or from the console.


Users running pfSense 2.3.x can upgrade to the next available 2.3.x version,
which is still pending.

   See for
   special instructions on using the 2.3.x legacy Security/Errata branch.

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     c083e1e49af4902d15173d412feebd8b86a616ee
pfSense/RELENG_2_4_2               bd866431ba009f0ffbb0cad18e156dfd3017dbb7
pfSense/RELENG_2_3                 834ac053f1df4effcb70aa82bef780e7a8499e26
pfSense/RELENG_2_3_5               51992270b53084fdf0a2febf2fa3cf823b8357ed
- - -------------------------------------------------------------------------

VII. References


The latest revision of this advisory is available at
Version: GnuPG v2

Security-announce mailing list