[Security-announce] pfSense-SA-16_06.squid
16 June, 2016 by cmb@pfsense.com | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-16_06.squid Security Advisory pfSense Topic: Stored XSS in the pfSense squid package GUI Category: pfSense Package System Module: squid Announced: 2016-06-09 Credits: Remco Sprooten Affects: pfSense-pkg-squid versions < 0.4.18 Corrected: 2016-06-08 12:16:17 UTC (freebsd-ports/devel, pfSense 2.4.x pkg) 2016-06-08 12:18:14 UTC (freebsd-ports/RELENG_2_3, 2.3.2 pkg) 2016-06-08 12:18:28 UTC (freebsd-ports/RELENG_2_3_1, 2.3.1 pkg) 2016-06-08 12:18:43 UTC (freebsd-ports/RELENG_2_3_0, 2.3 pkg) 0. Revision History v1.0 2016-06-09 Initial release I. Background The pfSense® system is a free network firewall distribution based on the FreeBSD operating system. The pfSense system includes third-party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. Squid is an open source forward and reverse proxy daemon that can cache web content, control access to HTTP resources, and can be extended to offer anti- virus and filtering capabilities. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in squid_clwarn.php, part of the squid package available for pfSense 2.3.1 and earlier versions. When the ClamAV virus scanner feature is enabled, this file is utilized by squid for displaying information about detected viruses and for logging information about detected viruses. The data passed to squid_clwarn.php was not sanitized before display, nor sanitized before being written to its log file. The log was also displayed by squid_monitor_data.php without encoding. III. Impact Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. Additionally, data could be hidden from the virus log depending on the invalid input supplied to squid_clwarn.php. IV. Workaround Upgrade the squid package on pfSense to 0.4.18 or later which includes fixes for these issues. To mitigate the problem on older releases, use one or more of the following: * Restrict access to the web server on the firewall to trusted sources. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Upgrade the squid package on pfSense to 0.4.18 or later which includes fixes for these issues. VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- freebsd-ports/devel e99ba5ea416690285a4ab3e094c4b2c0fb20c735 442b7dd6b6e3ff8976f88ab1f168d365cdebe520 freebsd-ports/RELENG_2_3 90bcaee8d8315e4026e2afed2ea7c6fdd55ffd20 d581d14a7a88027655719c8ad3f9bed7c2f7585f freebsd-ports/RELENG_2_3_1 408eb385c5696a271945226bb10c77dc2231793c e2a02e3773f33d0bd9f450ffb0d9cfd7215791b8 freebsd-ports/RELENG_2_3_0 e82ef1c5b43ab4fd1117966d0de881655958f1f3 b301844cadcb2887c788be38eadc9b50ea5b8d52 - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-16_06.squid.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXWczfAAoJEBO5h/2SFPjaIz8QAOb/Ebe6EXSNtl/C2mmBK6sS 86rFcpupoyIsTQcGleDM5MzcoLrgO1WNfQZgB7DlqZ9u5qK+PsNkegPBF89Pqw0c QBl/inpi4ruJKGy9zOVRoG66U2QdIuACRmNhtyaxS1gsCasPTAtQke+pACkePJvH nKy3btbjDzHOb0XDafmPSuRl1/05sttoiXH3lvRW214swRQ5Yn3tkxZs5ZpFK3YF 9NFyYaYILBLwMfvLhkFfP39C1rvFkvnXldgyUI3kgBXDBpbBXqJer7+/+J0wc2/R pqy1MYGlwJ1go67Pvkwc5m0oE9Zs88O9cCPJBKwnBkiM3cctysbMSMgVLpzgQaRA CkQO1YjNAlhKpODYswyhbFL1AY3P1/4zEea0tWANtS6IPDaqHeKNAtnNl4OPISO3 WZpr2HUvG5Ik77aiBvBmQxyr7ZGgibY60oH57Tm4ZCHEbQq/IJFWEGor3nK/7WYD Wj+y2j2E/oqrRcRHdQMXvTBJX58+wEjzr5axera0usV8Le5ER0mMaPrLmyycz4Zl TJG4hC17dmT9wjCGxcJS55tkUWdVFK3A4JthJRai6nWL2hKlWHkm4ArHGi23C3Yp ukAX0g/3fwE2bt1xDsZKjqAX15RainjP5jz2kTYYdkWMOos+81H63KCE8ChPcjNH oT1QwLEkHT9dum7gfPOS =7Z/v -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce