[Security-announce] [UPDATED] pfSense-SA-17_07.packages
21 November, 2017 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-17_07.packages Security Advisory pfSense Topic: XSS vulnerability in Status Monitoring base package Category: pfSense Base Packages Module: Status_Monitoring Announced: 2017-09-19 Credits: Mohammed Latifi - Servonet S.n.c - www.servonet.it Affects: Status_Monitoring base package < 1.6.3 and 1.7.x < 1.7.5 Corrected: 2017-11-01 15:21:54 UTC FreeBSD-ports/devel, v1.7.5 for pfSense 2.4.2 snapshots 2017-11-01 15:24:41 UTC FreeBSD-ports/RELENG_2_4_1, v1.7.5 for pfSense 2.4.1-RELEASE 2017-11-01 15:34:57 UTC FreeBSD-ports/RELENG_2_3, v1.6.3 for pfSense 2.3.6 snapshots 2017-11-01 15:34:57 UTC FreeBSD-ports/RELENG_2_3_5, v1.6.3 for pfSense 2.3.5 0. Revision History v1.0 2017-09-19 Initial SA draft v1.1 2017-11-21 Updated with additional corrections I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in the 'view' and 'title' parameters of status_monitoring.php which is a part of the Status_Monitoring package included in the base installation of pfSense software. If a malicious client submits a 'view' or 'title' parameter containing HTML, it is displayed to the user viewing status_monitoring.php without encoding. III. Impact Due to the lack of proper encoding on the affected variable susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. V. Solution Upgrade to pfSense software version 2.4.2-RELEASE or another corrected version. This upgrade may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide Rather than a full upgrade, the Status_Monitoring package may be upgraded on its own without performing a full upgrade. Run the following commands at a shell prompt as root (directly or using sudo): pkg update -f pkg upgrade -y pfSense-Status_Monitoring VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - - ------------------------------------------------------------------------- FreeBSD-ports/devel f044c1e4e3f647028c57ae1a572dc6377e555ff3 f66fc11bdb3c83d1bbab2dfa7cbd5228ddd39b18 f2f6ef726e737ee3c6e2954157e94a79c7bfb490 FreeBSD-ports/RELENG_2_4_1 c919d10d1194da689a18905801bfe86ceef82230 c850e2b5dc83b9df42c21cc83e76be8435bcb21f adbb714251ae5c22c5e4f974cef8b98eff4a50bf FreeBSD-ports/RELENG_2_3 0db1ce65a93b063c268aaed477252197d566da03 713dfab1bc38423b6504a2a68674751517da0e32 FreeBSD-ports/RELENG_2_3_5 c3c919d640ff0a7319b8f080184bb90dabc7807e 6584980eb4a4373b87f26af57f80d1e4362e833b - - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-17_07.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaFFuQAAoJEBO5h/2SFPjak28QAMxLisoN3DXYj9p26MydE5Fl D7pXVQ6TVjmbvohogi/6rH58GHq8ntb/XvKC8e8RZGUG24AJxW+iZlJB6K77oIw8 fS4KBztLRYujqVYJejfMot53nUWi4Amo+SCgj+y10YJnzLcO+BpG2z9eC3rzhJ/c yh4/Akt+fPqLolZdU565rZda9QKrolAx9T6Sh0IAwjz2SesQHHUUmC9KxJhbSM5u C3AVh/5WkngbBjN5oywta5Y2DRcljbwDYaV2gwdJqEttgqMmVOXb12iEZM1zjNu+ dtkKxZXdDtM0pUv9mEbosMofMuE9owE5ThynZF039x46GlG1mhdSSvi3uvU6kIgD QT0VCn8uMWtXeekdfiYGqNDS6Jo89En7AvcaWobzTwLABZCrh2fO12S3HlUoH0q2 x3cL1ehjOE8e8bbG7II+gLIyGTRxVdAQ3LXywsTZFyUYPh9MxtX6weinAu3oND4/ y4MgxnowWWvHqx/dziypkcnkRY/LE3JB8XCUWZ/Ju0BOi3pjGp3V48YOuVeVmaIB kUee03m3pUSLFBtvAJbSMuxCnBVdleCmACdvxSJS0b28blkAVoafDcG70vcfnQFG vIWsQ4AKj2EYpDlvAq8yABwaDVJKHdcaTartQSLcsaoh/yKXsSYE1Y5gRoM88luC UlL6u5XQbTHIh0/sbcMa =2SEv -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce