[Security-announce] pfSense-SA-17_09.webgui
21 November, 2017 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-17_09.webgui Security Advisory pfSense Topic: Multiple XSS vulnerabilities in the WebGUI Dashboard Category: pfSense Base System Module: webgui Announced: 2017-11-14 Credits: Quentin Rhoads-Herrera, Security Researcher Affects: pfSense software version 2.4.x, <= 2.4.1 Corrected: 2017-10-24 19:50:56 UTC (pfSense/master, pfSense 2.4) 0. Revision History v1.0 2017-11-14 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Cross-Site Scripting (XSS) vulnerabilities were found in the dashboard and widgets, components of the pfSense software WebGUI, on version 2.4.1 and earlier of the 2.4.x release branch. * On index.php, the "sequence" parameter component for multiple widget instance counters was not validated and it was echoed back to the user directly without encoding. A specially-crafted submission could store an invalid widget sequence which could be used as an XSS vector. * On numerous widgets which support multiple instances, the widgetkey parameter was taken from $_REQUEST and echoed back to the user directly without encoding, which could be used as an XSS vector. III. Impact Due to the lack of proper encoding on the affected variable susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. V. Solution Upgrade to pfSense software version 2.4.2 or a later version. This upgrade may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 7b973ceb6f72e22ee1b335128fb8d7f655c82879 e3907730bdcc879f968d5d917ec9ac6567518e58 - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-17_09.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaC0duAAoJEBO5h/2SFPjahloQAKbpnwL4jU3urkUUtjPrKHNh A3Dg7zpDCr9FuUrZhFcVqNkMNoTnaIlRvlpts4zEFY7Mog6cg+iB/DiYzDyyCMG9 Cd7vaF3tN0cdXrFOkGQp/j70A7Smqftp0wK+WUZ/tSCFhEAtq7AL0nZawPhRlUcc /+0RozlwF9VGzJZv7HEhmmrhc+cEq1JlNgJlr7eVfs/6I0OhgiPpZ2+BbaBWShVx D46IbsHs5URNOcrg9HZuPwqlQ4kmn//iV8XN/y9I3SisN+yi3I5pgi9A5nRKUyoj xxgdHPmYVWA+5f8+jpcjmdSbNpKbzzP3WObKyj23N3Upd/DltNN1l3QL4mzr+mca bDq+rVWOEP4M60ZEU3gmB4lmt60i4Xc/TPl4fcpy2C6KmxTEGuAM4Y2MVoXqz+6F XLTXuaYie+v7GsPOL3T2qZ3BFviRZG6gSIg+itbSLa6cJI6VPC8se5w/m5PeYt+f x1zY+Pp/ZEBnxOFoE+MQIPcvagNcBd9tsmrRks9xhPUALIMB12d2R40OQhP9A8YG 5IGnh87MhgOJXW1Cbfn50M74scVNfcT8AWx4R49IYQDAc21Vb0Bs4h3/LD6WBxOE U++CJ20yzfUQ8oo2GTNRi4urTuqkL6aIxZQWOd5i+6dL/HDWA9xvtlgPPGFR6jbj tMOod6YYEb19pLBbmz7O =vITu -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce