BSDSec

deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-17_04.webgui

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-17_04.webgui                                     Security Advisory
                                                                      pfSense

Topic:          DHCP Lease XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2016-04-26
Credits:        Stefan Wieczorek
                (DCSO Deutsche Cyber-Sicherheitsorganisation GmbH)
Affects:        pfSense software version <= 2.3.3-p1
Corrected:      2017-04-26 17:12:04 UTC (pfSense/master, pfSense 2.4)
                2017-04-26 17:28:09 UTC (pfSense/RELENG_2_3, pfSense 2.3.4)
                2017-04-26 17:27:58 UTC (pfSense/RELENG_2_3_3, pfSense 2.3.3_x)

0.   Revision History

v1.0  2016-04-26 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in the DHCP lease display
in the pfSense software WebGUI on version 2.3.3-p1 and earlier.

If a malicious client submits a hostname containing HTML, it is displayed to
the user viewing the DHCP leases without encoding.

III. Impact

Due to the lack of proper encoding on the affected variable succeptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

IV.  Workaround

No workaround.

V.   Solution

Upgrade to pfSense software version 2.3.4 or a later version. This upgrade may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     49a6769d99b4ea0306b0d619d14c3c0c841386e9
pfSense/RELENG_2_3                 9e721fea09dc252cd264bc2b67ef40a1d2d81e11
pfSense/RELENG_2_3_3               a260eda55905607e9adfd5d7c3fd779b115459d5
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_04.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZCgb7AAoJEBO5h/2SFPjaVmQP/RxMkpNZt5nAuiGP5NudMDVg
PWcNKAmWenGA5mW9p85AHE/EKKoBJa2UkKZj6oAG5DYP+JR4BF2BEHyGlsTtMxp8
ugosARW+97mTib1cWF5bcTwL8GAYBoltoZJJWTqmzj2cqxX4gILYJvPMDPNqhb8T
KFc5HrRfq1R1FKYVG8GzWqrrxr8QL7RQPkKOGHvaqcGCr8jUMAC6iD5RvmpQwC+T
3Ulzxz2MrECBlvNPTy4/mgXmWNzrm78s80YmOJo5BIY7hZcKdFtY/RMxrJ5422oD
RIwTjWGdbk/BDv+kqy9bXScwkd6r+1fdc8ALQf+KCHxQhlwu37ISVovVHaX0s3P0
xfG+XzJi0HPtmO2Qj1IEk5N+qUFBe412/0ygmXLvve2JAdP6aUwxtyKBZbNqGJDa
nsdJgxqgRkvQ73o2vjNiBRlIX4xjQ8+LziZSJk9T9yWvqxljHwOdd8ou0FwRsaVJ
f98oyeNdKgvx/lKT2jrI3WkYZCaBL8MU1oqUDHA8S+XhiNLKnFtdBRMfxpUKrWqr
P4W2OlFmDYn3WQSggjxT7AFTy7GmbH48LXwKDnNHZcFiQCGsy8RAyCHRYcZcz8oF
YUgJlw0h76tBjWAsfsgDVBZmdN4hwPEtGxzr9nOuCOuvNfR0tteVPAmRMo94ChWN
RNFmUOmzrtP3AGCYSjux
=foHb
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce