[Security-announce] pfSense-SA-17_05.webgui
20 July, 2017 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=============================================================================
pfSense-SA-17_05.webgui Security Advisory
pfSense
Topic: Multiple XSS vulnerabilities in the WebGUI
Category: pfSense Base System
Module: webgui
Announced: 2016-07-19
Credits: Security Innovation, Inc
Affects: pfSense software version <= 2.3.4
Corrected: 2017-06-16 19:24:38 UTC (pfSense/master, pfSense 2.4)
2017-06-16 19:36:25 UTC (pfSense/RELENG_2_3, pfSense 2.3.5)
2017-06-16 19:36:14 UTC (pfSense/RELENG_2_3_4, pfSense 2.3.4_x)
0. Revision History
v1.0 2016-07-19 Initial SA draft
I. Background
pfSense® software is a free network firewall distribution based on the
FreeBSD operating system. The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.
The majority of users of pfSense software have never installed or used a stock
FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge. The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.
II. Problem Description
Cross-Site Scripting (XSS) vulnerabilities were found in three pages of the
pfSense software WebGUI on version 2.3.4 and earlier.
* On vendor/filebrowser/browser.php, which is part of the "Browse" function on
diag_edit.php, the "filename" parameter can be used to trigger an XSS if a
file exists with a specially-crafted name.
In order to exploit this, a user must be able to write files with arbitrary
names to the firewall and then coerce an administrator with GUI access to load
that same file in diag_edit.php through the file browser.
* On firewall_nat_edit.php, the "interface" parameter was not validated on save,
so a specially-crafted submission could store an interface with a name that
could trigger an XSS through the dst_change() JavaScript function on the page.
* On diag_tables.php, the "type" parameter which contains the table name to
display was not being validated against a list of current tables. The
unvalidated parameter was submitted back via AJAX to load the invalid table,
and was presented to the user unencoded.
III. Impact
Due to the lack of proper encoding on the affected variable susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.
IV. Workaround
No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Do not give firewall administrators access to pages or functions which allow
writing arbitrary files to the firewall.
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
administrative web browsing.
V. Solution
Upgrade to pfSense software version 2.3.4-p1 or a later version. This upgrade
may be performed in the web interface or from the console.
See https://doc.pfsense.org/index.php/Upgrade_Guide
VI. Correction details
The following list contains the correction revision numbers for each
affected item.
Branch/path Revision
- - -------------------------------------------------------------------------
pfSense/master e90eaf31f079dc29187d1c08cfe88ceabc0786f4
9c8540ca53f8258a44aaf13100d575b30ae77e65
d0acfddd3afb11cb53aa13a00bf2f89b0a98ae4f
pfSense/RELENG_2_3 bae3b2be97be0d1bee9c49244e3d7f1dcb03687f
6c989d4ac23cfd7888d6881a3716875bb3298a07
d6f20c329751e249d1066e0e3241e77a84dcc338
pfSense/RELENG_2_3_4 425174aef7ac56499d710316b3c23cf2e4ac7947
e243e3253393a20ae0ac442b58438075d46f6b16
5ca16d84d21d4551a090176090dc1cf7248431a5
- - -------------------------------------------------------------------------
VII. References
<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>
The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_05.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJZbmS8AAoJEBO5h/2SFPjaruwP/3tckvezsB1cvL+rxs+fkOwk
aHsfDYgPkEeKThTsW6jDbIvzXLWgdpa3op7b8Vzakm06o7nVNTEXamYxxLWlrZ0g
rNyBxPG88G7Q20EAlXsumgNDWy9dCXmoEIaGDA67jiDFazP49csdOcUoS/5Cu7EJ
4/8IPWZvcwUucGbgfYEzzkshiGGM3RbWOXiLOwJfxXVsK5H9xTbbgIAXNLXM0P1I
gng0oxQb/XHWtMCOsr3N4swAHoQC/7yRSs0l0y2enY15i1zCGkyNrRhg2oj3AL55
6bnP9OmuVamh6ulnnH7eg8k6cUFBsygvIssuUiPSHz473hOtv3KTZfM2nrnvYdhh
BAzzgeYF0HZP62m7nu2GUWTzhSRpQIunAkJLDMfuN0MsoCrtF9jQlH6wo/E4Aaji
55PhJoRnlHYsRVpWhWnv9bZEQVQ0+qUphEwLgnwT+cfTkuseFn3i88OkZLqGNhf+
iUfisDszH20WyOn6xoIpmauB/y3g0LyQE0CD1Y/V3HxqnU6RqibnjiPsSz4bvIMm
r9NCXQ0jkkr4VCQXNhv84hTTtejIcuk0RSwJJR9CXLfcal2pk9eH5VZGoolIz64b
hjtJc4ExQN8VewukHtLFvr9lFdwF8S4MbW6JlaAEgyNHTxSxeqYqhJyOt5sHUoK7
S/pqBUi1yMIXSEOinIlW
=7IsT
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce