[Security-announce] pfSense-SA-17_08.webgui
21 November, 2017 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-17_08.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2017-11-14 Credits: Quentin Rhoads-Herrera, Security Researcher Affects: pfSense software version 2.3.x < 2.3.5, 2.4.x <= 2.4.1 Corrected: 2017-10-27 20:52:31 UTC (pfSense/master, pfSense 2.4) 2017-10-27 20:54:05 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5) 0. Revision History v1.0 2017-11-14 Initial SA draft v1.1 2017-11-21 Updated 2.3.x affected version I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in diag_dns.php, a part of the pfSense software WebGUI, on version 2.3.4 and earlier (2.3.x branch) and on version 2.4.1 and earlier (2.4.x branch). On diag_dns.php, the "hostname" parameter was being utilized without encoding in a JavaScript variable which could be used as an XSS vector. III. Impact Due to the lack of proper encoding on the affected variable susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users of pfSense 2.4.x can upgrade to version 2.4.2 or later. This upgrade may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide Users running pfSense 2.3.x can upgrade to 2.3.5 or later. See https://www.netgate.com/blog/pfsense-2-3-5-release-now-available.html for special instructions on using the 2.3.x legacy Security/Errata branch. VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 43746e1b4ef6fec0e9c915495aa3926a6b97e7a3 f32e9531ae21852ef0b21709b8278d1091d55d56 pfSense/RELENG_2_3_5 ab1a2d264941d1b1601d38bad2ac2ff4de6d4d81 edc0092c7423d566d9e9d8f0dded63205c71b6f7 - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-17_08.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaFFbFAAoJEBO5h/2SFPja648QAJfQGoWUWGV5DsuM9HlWb9Zv jRXbmvfqIlfPI6eUR28HNPpCt4uQWw2NNWViFFuTCc3uj4SC7FXIE3oRzj3iE11V bEmNeRuA00x6qBHgo/iRwD07QNW7QC4vqZuScfjraQy6UiJVwcb8Jh4sDS9IDcWi 9f27qwbUheTT8dPxrbqCL7H9rKqCZKjZavGcVCv9f1cB8y5tYnsEuplNBJk+ZyYU uUNzJor8/UA9yVRMYpq8HwNSaf2o7zddgLmh4gW65ds6gDrHYz1rFCUnCbICYNEZ W/xaFecLJaI0W6ieNuMnKtUU4+EN3QJRf+NDyNOV+6F63wkLZkRe4pWlbzwgxEGv 7e/HCyKCCufnL0SUwH5m6cjisXw7C4FxnBv2UsbPHqXqsBzv8BY80bfzVtEcmQgV Rd5B13AUxRefVP99yMUIVCmK2RefnZf/JNqbpJ9sQSPs0iC4PglKE8zdYGZTRCqT T/TEDKKb0clz+pagPhbqSW4y2tIn7z8SU0EHOkiWfkyGcMMWeKtTlq/NPZmv/MbS Tvw+2J59vVlXuen0X80BguVU7Wdtd3DuS0ZFjlYELoEc+H6JwNErswlEC/ZTrWVB z9UESvw4dufJkyNWdEI+9zfFMKp4GWbG7K+HA/knZ7M2m9iIJdTDLcVuhxiai4a5 k4lgYPz0Fwt57JzQ1sv9 =fhRB -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce