[Security-announce] pfSense-SA-17_05.webgui
20 July, 2017 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-17_05.webgui Security Advisory pfSense Topic: Multiple XSS vulnerabilities in the WebGUI Category: pfSense Base System Module: webgui Announced: 2016-07-19 Credits: Security Innovation, Inc Affects: pfSense software version <= 2.3.4 Corrected: 2017-06-16 19:24:38 UTC (pfSense/master, pfSense 2.4) 2017-06-16 19:36:25 UTC (pfSense/RELENG_2_3, pfSense 2.3.5) 2017-06-16 19:36:14 UTC (pfSense/RELENG_2_3_4, pfSense 2.3.4_x) 0. Revision History v1.0 2016-07-19 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Cross-Site Scripting (XSS) vulnerabilities were found in three pages of the pfSense software WebGUI on version 2.3.4 and earlier. * On vendor/filebrowser/browser.php, which is part of the "Browse" function on diag_edit.php, the "filename" parameter can be used to trigger an XSS if a file exists with a specially-crafted name. In order to exploit this, a user must be able to write files with arbitrary names to the firewall and then coerce an administrator with GUI access to load that same file in diag_edit.php through the file browser. * On firewall_nat_edit.php, the "interface" parameter was not validated on save, so a specially-crafted submission could store an interface with a name that could trigger an XSS through the dst_change() JavaScript function on the page. * On diag_tables.php, the "type" parameter which contains the table name to display was not being validated against a list of current tables. The unvalidated parameter was submitted back via AJAX to load the invalid table, and was presented to the user unencoded. III. Impact Due to the lack of proper encoding on the affected variable susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. To help mitigate the problem on older releases, use one or more of the following: * Do not give firewall administrators access to pages or functions which allow writing arbitrary files to the firewall. * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Upgrade to pfSense software version 2.3.4-p1 or a later version. This upgrade may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master e90eaf31f079dc29187d1c08cfe88ceabc0786f4 9c8540ca53f8258a44aaf13100d575b30ae77e65 d0acfddd3afb11cb53aa13a00bf2f89b0a98ae4f pfSense/RELENG_2_3 bae3b2be97be0d1bee9c49244e3d7f1dcb03687f 6c989d4ac23cfd7888d6881a3716875bb3298a07 d6f20c329751e249d1066e0e3241e77a84dcc338 pfSense/RELENG_2_3_4 425174aef7ac56499d710316b3c23cf2e4ac7947 e243e3253393a20ae0ac442b58438075d46f6b16 5ca16d84d21d4551a090176090dc1cf7248431a5 - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-17_05.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZbmS8AAoJEBO5h/2SFPjaruwP/3tckvezsB1cvL+rxs+fkOwk aHsfDYgPkEeKThTsW6jDbIvzXLWgdpa3op7b8Vzakm06o7nVNTEXamYxxLWlrZ0g rNyBxPG88G7Q20EAlXsumgNDWy9dCXmoEIaGDA67jiDFazP49csdOcUoS/5Cu7EJ 4/8IPWZvcwUucGbgfYEzzkshiGGM3RbWOXiLOwJfxXVsK5H9xTbbgIAXNLXM0P1I gng0oxQb/XHWtMCOsr3N4swAHoQC/7yRSs0l0y2enY15i1zCGkyNrRhg2oj3AL55 6bnP9OmuVamh6ulnnH7eg8k6cUFBsygvIssuUiPSHz473hOtv3KTZfM2nrnvYdhh BAzzgeYF0HZP62m7nu2GUWTzhSRpQIunAkJLDMfuN0MsoCrtF9jQlH6wo/E4Aaji 55PhJoRnlHYsRVpWhWnv9bZEQVQ0+qUphEwLgnwT+cfTkuseFn3i88OkZLqGNhf+ iUfisDszH20WyOn6xoIpmauB/y3g0LyQE0CD1Y/V3HxqnU6RqibnjiPsSz4bvIMm r9NCXQ0jkkr4VCQXNhv84hTTtejIcuk0RSwJJR9CXLfcal2pk9eH5VZGoolIz64b hjtJc4ExQN8VewukHtLFvr9lFdwF8S4MbW6JlaAEgyNHTxSxeqYqhJyOt5sHUoK7 S/pqBUi1yMIXSEOinIlW =7IsT -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce