[Security-announce] pfSense-SA-17_11.webgui
14 December, 2017 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-17_11.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2017-12-04 Credits: Internal Affects: pfSense software version 2.3.x <= 2.3.5, 2.4.x <= 2.4.2 Corrected: 2017-11-28 21:28:49 UTC (pfSense/master, pfSense 2.4) 2017-11-28 21:30:32 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x) 2017-11-28 21:39:08 UTC (pfSense/RELENG_2_3, pfSense 2.3.x) 2017-11-28 21:41:23 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x) 0. Revision History v1.0 2017-12-04 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a part of the pfSense software WebGUI, on version 2.3.5 and earlier (2.3.x branch) and on version 2.4.2 and earlier (2.4.x branch). On status_filter_reload.php, the "user" parameter was being utilized without encoding in JavaScript which could be used as an XSS vector. III. Impact Due to the lack of proper encoding on the affected variable susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users of pfSense 2.4.x can upgrade to version 2.4.2-p1 or later. This upgrade may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide Users running pfSense 2.3.x can upgrade to 2.3.5-p1 or later. See https://www.netgate.com/blog/pfsense-2-3-5-release-now-available.html for special instructions on using the 2.3.x legacy Security/Errata branch. VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 82b1d76f934d793fe681c9c80da1a8e32cefc1f5 pfSense/RELENG_2_4_2 fea5a8af2c802033b7df2e398ccada544304aa35 pfSense/RELENG_2_3 11b3b8e6edbeb71a93f6b6f02b62fb682386355d pfSense/RELENG_2_3_5 36ca9be2d0c3bf01b3fd6fa0f4aa598803815b56 - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-17_11.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaMq8RAAoJEBO5h/2SFPja7yQQAKf9O1qoR4OxF3ofaWv3FloF 0oK8T7AzAUXBv6EXlCrbQOH76bTHRI3o0Uy8BshydJDzJFBK3V2eF0FjicrpHNH1 xy+uscnCVFm2DHK9tyr5rcb16O2Dwz7xO1O7vizRPB3ufcdRvMW6H/TFJdY0H9nw B21Ztj3v5SxWB53rTyn2OaFa7u6dDihzSaCtoDJcSIso7r4fxuNtfyL/ja9klrd+ NZ67FvSsW0UzOd0AQaKEPmNb3g8VrFs5J5Y/bLjvRGLMbdVgOdPamwndMA4jZpoa WRN5YTWJ/qn4lsux7fXcujfCzGIMpGzqNM0Yr9+fPklPHqxe/tqkQi5XZRSb78+j ijC26BQkAIKDYa1a8fgH99slX6dqL0cPgs9CK+gv5hCbgPmLYiRnUlQxoxutbV96 aNkH9Aq5GDLIYAxLPjRObNBUnvECJ6ZVR464rXUab6YnKjb1IfIn3GRnMlsQuixr zRN+TDtkvDMPI/5TYlz99YBPbtt0obI8pThtnCFentnET23//iFOBo7PPF6EMoif 2qCvuCIfIEFWAdo7jQZsYkdUyokqBa/in/wdtNiQnQFylvl4pDq7KzJ4EmJi3Os/ Vp7Eg/ojzOA/qNrP4AM9iV4c1RlLergd/qC/8Jv9PM7sDrvd4AFwErRhEP6ZKnX8 63TsfeK8Dr9nqmVwtcnw =DGcR -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce