[Security-announce] pfSense-SA-17_03.webgui
21 February, 2017 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-17_03.webgui Security Advisory pfSense Topic: Multiple XSS and CSRF Vulnerabilities in the WebGUI Category: pfSense Base System Module: webgui Announced: 2017-02-10 Credits: Tim Coen - Curesec GmbH Affects: pfSense software version <= 2.3.2_1 Corrected: 2017-02-07 18:35:24 UTC (pfSense/master, pfSense 2.4) 2017-02-07 18:37:03 UTC (pfSense/RELENG_2_3, pfSense 2.3.x) 2017-02-07 18:37:07 UTC (pfSense/RELENG_2_3_2, pfSense 2.3.2_x) 0. Revision History v1.0 2017-02-10 Initial release I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Multiple Cross-Site Scripting (XSS) vulnerabilities and one CSRF issue were found in the pfSense software WebGUI on version 2.3.2_1 and earlier. On pkg_mgr_install.php, the "from" and "to" parameter are vulnerable to reflected XSS when performing a reinstall action. On pkg.php, the "pkg_filter" parameter is vulnerable to reflected XSS when a package XML file contains a field type of "sorting" which also has "include_filtering_inputbox" active. Currently the only affected package is FreeRADIUS ( freeradius.xml and freeradiusauthorizedmacs.xml both meet these conditions ). The easyrule.php script uses GET variables to, making it possible to add new firewall rules via CSRF. III. Impact Due to the lack of proper encoding on the affected variables and pages succeptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. Due to the use of GET on easyrule.php, a firewall administrator could unknowingly create an unwanted firewall rule if they are the victim of a CSRF attack. IV. Workaround To mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Upgrade to version 2.3.3 of the pfSense software, or a later version. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 2c06742d784cb7ec85151327fd753536d98fbcc1 ed7bfaa4b99fc6d4c4f3b2be1dfd738f3cc8e16b 0f026089f65d92328d680443de5f9a90af50115c pfSense/RELENG_2_3 082f3663d2ac75e1f7e718715ea23b0168a866a7 7100f0410b02d152f12f95fa892c427b06ec26c0 4cef56bf20314009ad83bf747901ed1adeda8c70 pfSense/RELENG_2_3_2 ede8a9537ef9d15f8c1d288d9e89d4476a84656f ed7bfaa4b99fc6d4c4f3b2be1dfd738f3cc8e16b f0cf40f964f2a559ddcf495f492bd9d38f924512 - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-17_03.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYneCxAAoJEBO5h/2SFPjaDegQAMFyO8tC2fUGpFUU1Rqtb0F0 HYiC1aCGbRbhUeLXyKTYm2Nyy4CUlnhErVPrcSSjf5/s8vQSS5TpLWIcmWgJkiNg CMcflabTcbq/rQCAQv6bPVa/EjV1sXa2OFVYjl2cuJmkP+yoTpKE4DbbNVZHvgsA gfFzXNLM0LYIROLRp15dgJGKZk6QUG+Xb0n9ssP8dj95m/OVZ8P1ChXlXb6ysEEl aZdKLVEIOtb04aZW0+3KMGzmxziIsVsU3lDRyBpbi/EOl5uJZR9q3YTCcxgIP6Hh ZCZJ4mIBeuWMt7SV1J6xKBV//p9UoG4FTF2eSn5TBQoFpNhkvNElTmmO9LfAYpCz bIUBB8pGCT199TvFN08TZPyMXQfZDQ3fq6W1MYSfzMYBXauVuELG+4jROV2RkJB2 28NcpY0CmoTM3QjJQY5krgA4iI9WoIz/EZ85mecvvJ4SOXSlyJaDWGvGFNl4kFEG TDBmZ6/yMI3sQCiJ4Ngc4Sig+B9h9K9h/cAuZluT6NYsV454G7lcQfQwT/0J2U34 +sAqcZL+zcRlK5x2CSCWJMCogj30K8LXJscAqS5T6ja1vJ9MKewpmIZtGJbiGa8N jadQ/bKiRxBBOBgj/m//+JbUUK01rWy1brc6txPNt8/SnkVB9NjPO5h03OOpchPx v9u2MIQcICFxGMB5k5AZ =pUrT -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce