[Security-announce] [UPDATED] pfSense-SA-17_07.packages
21 November, 2017 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=============================================================================
pfSense-SA-17_07.packages Security Advisory
pfSense
Topic: XSS vulnerability in Status Monitoring base package
Category: pfSense Base Packages
Module: Status_Monitoring
Announced: 2017-09-19
Credits: Mohammed Latifi - Servonet S.n.c - www.servonet.it
Affects: Status_Monitoring base package < 1.6.3 and 1.7.x < 1.7.5
Corrected: 2017-11-01 15:21:54 UTC
FreeBSD-ports/devel, v1.7.5 for pfSense 2.4.2 snapshots
2017-11-01 15:24:41 UTC
FreeBSD-ports/RELENG_2_4_1, v1.7.5 for pfSense 2.4.1-RELEASE
2017-11-01 15:34:57 UTC
FreeBSD-ports/RELENG_2_3, v1.6.3 for pfSense 2.3.6 snapshots
2017-11-01 15:34:57 UTC
FreeBSD-ports/RELENG_2_3_5, v1.6.3 for pfSense 2.3.5
0. Revision History
v1.0 2017-09-19 Initial SA draft
v1.1 2017-11-21 Updated with additional corrections
I. Background
pfSense® software is a free network firewall distribution based on the
FreeBSD operating system. The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.
The majority of users of pfSense software have never installed or used a stock
FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge. The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.
II. Problem Description
A Cross-Site Scripting (XSS) vulnerability was found in the 'view' and 'title'
parameters of status_monitoring.php which is a part of the Status_Monitoring
package included in the base installation of pfSense software.
If a malicious client submits a 'view' or 'title' parameter containing HTML, it
is displayed to the user viewing status_monitoring.php without encoding.
III. Impact
Due to the lack of proper encoding on the affected variable susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.
IV. Workaround
No workaround.
V. Solution
Upgrade to pfSense software version 2.4.2-RELEASE or another corrected version.
This upgrade may be performed in the web interface or from the console.
See https://doc.pfsense.org/index.php/Upgrade_Guide
Rather than a full upgrade, the Status_Monitoring package may be upgraded on
its own without performing a full upgrade. Run the following commands at a
shell prompt as root (directly or using sudo):
pkg update -f
pkg upgrade -y pfSense-Status_Monitoring
VI. Correction details
The following list contains the correction revision numbers for each
affected item.
Branch/path Revision
- - - -------------------------------------------------------------------------
FreeBSD-ports/devel f044c1e4e3f647028c57ae1a572dc6377e555ff3
f66fc11bdb3c83d1bbab2dfa7cbd5228ddd39b18
f2f6ef726e737ee3c6e2954157e94a79c7bfb490
FreeBSD-ports/RELENG_2_4_1 c919d10d1194da689a18905801bfe86ceef82230
c850e2b5dc83b9df42c21cc83e76be8435bcb21f
adbb714251ae5c22c5e4f974cef8b98eff4a50bf
FreeBSD-ports/RELENG_2_3 0db1ce65a93b063c268aaed477252197d566da03
713dfab1bc38423b6504a2a68674751517da0e32
FreeBSD-ports/RELENG_2_3_5 c3c919d640ff0a7319b8f080184bb90dabc7807e
6584980eb4a4373b87f26af57f80d1e4362e833b
- - - -------------------------------------------------------------------------
VII. References
<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>
The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_07.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJaFFuQAAoJEBO5h/2SFPjak28QAMxLisoN3DXYj9p26MydE5Fl
D7pXVQ6TVjmbvohogi/6rH58GHq8ntb/XvKC8e8RZGUG24AJxW+iZlJB6K77oIw8
fS4KBztLRYujqVYJejfMot53nUWi4Amo+SCgj+y10YJnzLcO+BpG2z9eC3rzhJ/c
yh4/Akt+fPqLolZdU565rZda9QKrolAx9T6Sh0IAwjz2SesQHHUUmC9KxJhbSM5u
C3AVh/5WkngbBjN5oywta5Y2DRcljbwDYaV2gwdJqEttgqMmVOXb12iEZM1zjNu+
dtkKxZXdDtM0pUv9mEbosMofMuE9owE5ThynZF039x46GlG1mhdSSvi3uvU6kIgD
QT0VCn8uMWtXeekdfiYGqNDS6Jo89En7AvcaWobzTwLABZCrh2fO12S3HlUoH0q2
x3cL1ehjOE8e8bbG7II+gLIyGTRxVdAQ3LXywsTZFyUYPh9MxtX6weinAu3oND4/
y4MgxnowWWvHqx/dziypkcnkRY/LE3JB8XCUWZ/Ju0BOi3pjGp3V48YOuVeVmaIB
kUee03m3pUSLFBtvAJbSMuxCnBVdleCmACdvxSJS0b28blkAVoafDcG70vcfnQFG
vIWsQ4AKj2EYpDlvAq8yABwaDVJKHdcaTartQSLcsaoh/yKXsSYE1Y5gRoM88luC
UlL6u5XQbTHIh0/sbcMa
=2SEv
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce