BSDSec

deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-18_03.webgui [UPDATED]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-18_03.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2018-01-29
Credits:        Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc.
Affects:        pfSense software version 2.4.x <= 2.4.2-p1
Corrected:      2018-01-29 17:26:41 UTC (pfSense/master, pfSense 2.4.3)
                2018-01-29 17:26:41 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x)

0.   Revision History

v1.0  2018-01-29 Initial SA draft
v1.1  2018-05-02 Fixed year in correction timestamps

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in
traffic_graphs.widget.php, a part of the pfSense software WebGUI, on version
2.4.2-p1 and earlier (2.4.x branch).

On traffic_graphs.widget.php, the values of the widget settings were not
validated nor encoded before being printed to the user, which could be used as
a stored XSS vector.

III. Impact

Due to the lack of proper encoding on the affected variables susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

IV.  Workaround

No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users of pfSense 2.4.x can upgrade to version 2.4.3 or later. This upgrade may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     e7b5b82b121c76c4c6bf57229bfef0ea3bc33d5b
pfSense/RELENG_2_4_2               f51de9fd9b762f50096e72481fad69e2440bca91
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-18_03.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJa6h2yAAoJEBO5h/2SFPjaWsMQAII44sZFYdsUIwuTKR9JXlct
C/JEzWRXIlQQD6O4bEDTj+AIDSib2VksiCwyFsGVwKzncrUDCX5cGVjIOrzM5bI9
Fhsb6GdyBzZyeiS64EvlWqIfi/xEeSOFvLJTRFeicCj/DpYiDCaMsaW2rqJjtp/s
WWAjnbmcY117jDGU38rmSXgOF8DrlSgFMEGPVkiB2yTT4SD4P7yP8Zc5L0m104rw
KTbYT2pnKOhTKp90OLUCKfO32o/pxIB95x/KsSFAi4KbGZJ2RfAT75YCa+CjNAHF
Xsc3tID63UpRD/mE8oUjAMNV1R52y+y8/bzg+nen/E4sO7RdTpMpCvCn4tO1O6SY
F42F4a2AmV1KuNVuXRgQpB+ns6OArWhnN4cVLxp9D/1XXnehQOB+2ya/i6l/buAI
5l1h0BUYiVaXdtDHVLsgEA/1bAseDggPh6KQVtc8tDlIgbayVPjCx2OZ+OcQzn5q
kzoIdpeQfHFw1VQCU2VEEeqHsiRA5RQ8zRHhCtW3PetaCe3od9WWX4f33XlHbWZ2
o6Qj+lEyoygsJC7+gYGYmkPLvvyVA70IPvg/W7keE6Jg8H/GBXBe623Oo/9fLW8j
rg7n2ydGr0tvRWz50hdTXnls6R8ZsDw/frwWOOj+rKn7cU/aXvV9n6o0zErx4mXm
NFJh794tmKI8oDZnCyWF
=9wfi
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce