BSDSec

deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-18_03.webgui

29 March, 2018 by security@pfsense.org | pfsense 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-18_03.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2018-01-29
Credits:        Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc.
Affects:        pfSense software version 2.4.x <= 2.4.2-p1
Corrected:      2017-01-29 17:26:41 UTC (pfSense/master, pfSense 2.4.3)
                2017-01-29 17:26:41 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x)

0.   Revision History

v1.0  2018-01-29 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in
traffic_graphs.widget.php, a part of the pfSense software WebGUI, on version
2.4.2-p1 and earlier (2.4.x branch).

On traffic_graphs.widget.php, the values of the widget settings were not
validated nor encoded before being printed to the user, which could be used as
a stored XSS vector.

III. Impact

Due to the lack of proper encoding on the affected variables susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

IV.  Workaround

No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users of pfSense 2.4.x can upgrade to version 2.4.3 or later. This upgrade may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     e7b5b82b121c76c4c6bf57229bfef0ea3bc33d5b
pfSense/RELENG_2_4_2               f51de9fd9b762f50096e72481fad69e2440bca91
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-18_03.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJahz4PAAoJEBO5h/2SFPjaxcYP/jn6b63GGvipse99GWg+u/ko
vKVlGMti+MkaKFNi8bU1q8phXSAUlMdcbZ1XAEKYZ3B5lTfC9ilAHNlvpkrckce1
wQ7GWOB2EiOJvYE2C3gEWXGqniD5jiFW0EOjwVTk0qpOMggRFphRW2lyavEAiQhG
G2YrB3ZEq31J1pkH/zj5sAQfz+T9PLLD0lVu9lU70HRAoTonZTkgAWG9PGZBc7fP
8BZ7A2+/PsxnCE0e/Qu0AWnKH8mX4FBIRQ7YlDJr8yC82Mz699gwJB7LUNJzMLOj
8eNc6VEzhGfXsmOex23pIHOINTnx3DoyAYMP80vIdT+appg0zsYJykzYSGY1uR5e
snqPOVYpMaUHJSUMcJINd7rQ6loeTETnj2eMMBE6UbMwf7KbXkxiH2WeBMvl0mPJ
gkWjd5sVcGPnZ5hM2yZiEISM7K/inoRLEH7i0cvAPMyzRr7djmWdJAvAIdvrbCxj
74vtV34WtB+4bkN3Z4Z4MkVWktT7/LSBJzD+exm8X2ZbbWxOoObDMAntxw/BJpO5
5KZO5DATei85MNYcK803HpWneBHE0JJJeGsj0nT64B5YqTkNkA/r4zpqtZJPWnaD
TWTUekd9q5ChnmePcIOKLBS9LFXpxrULZAzofuUqhJ40tKSLTvH0JOzFrneEd63b
2aVGOjzEOklW1Bjxw+cu
=fZTE
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce