BSDSec

deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-17_09.webgui

21 November, 2017 by security@pfsense.org | pfsense 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-17_09.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple XSS vulnerabilities in the WebGUI Dashboard

Category:       pfSense Base System
Module:         webgui
Announced:      2017-11-14
Credits:        Quentin Rhoads-Herrera, Security Researcher
Affects:        pfSense software version 2.4.x, <= 2.4.1
Corrected:      2017-10-24 19:50:56 UTC (pfSense/master, pfSense 2.4)

0.   Revision History

v1.0  2017-11-14 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

Cross-Site Scripting (XSS) vulnerabilities were found in the dashboard and
widgets, components of the pfSense software WebGUI, on version 2.4.1 and earlier
of the 2.4.x release branch.

* On index.php, the "sequence" parameter component for multiple widget instance
  counters was not validated and it was echoed back to the user directly without
  encoding. A specially-crafted submission could store an invalid widget
  sequence which could be used as an XSS vector.

* On numerous widgets which support multiple instances, the widgetkey parameter
  was taken from $_REQUEST and echoed back to the user directly without
  encoding, which could be used as an XSS vector.

III. Impact

Due to the lack of proper encoding on the affected variable susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

IV.  Workaround

No workaround.

V.   Solution

Upgrade to pfSense software version 2.4.2 or a later version. This upgrade may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     7b973ceb6f72e22ee1b335128fb8d7f655c82879
                                   e3907730bdcc879f968d5d917ec9ac6567518e58
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_09.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJaC0duAAoJEBO5h/2SFPjahloQAKbpnwL4jU3urkUUtjPrKHNh
A3Dg7zpDCr9FuUrZhFcVqNkMNoTnaIlRvlpts4zEFY7Mog6cg+iB/DiYzDyyCMG9
Cd7vaF3tN0cdXrFOkGQp/j70A7Smqftp0wK+WUZ/tSCFhEAtq7AL0nZawPhRlUcc
/+0RozlwF9VGzJZv7HEhmmrhc+cEq1JlNgJlr7eVfs/6I0OhgiPpZ2+BbaBWShVx
D46IbsHs5URNOcrg9HZuPwqlQ4kmn//iV8XN/y9I3SisN+yi3I5pgi9A5nRKUyoj
xxgdHPmYVWA+5f8+jpcjmdSbNpKbzzP3WObKyj23N3Upd/DltNN1l3QL4mzr+mca
bDq+rVWOEP4M60ZEU3gmB4lmt60i4Xc/TPl4fcpy2C6KmxTEGuAM4Y2MVoXqz+6F
XLTXuaYie+v7GsPOL3T2qZ3BFviRZG6gSIg+itbSLa6cJI6VPC8se5w/m5PeYt+f
x1zY+Pp/ZEBnxOFoE+MQIPcvagNcBd9tsmrRks9xhPUALIMB12d2R40OQhP9A8YG
5IGnh87MhgOJXW1Cbfn50M74scVNfcT8AWx4R49IYQDAc21Vb0Bs4h3/LD6WBxOE
U++CJ20yzfUQ8oo2GTNRi4urTuqkL6aIxZQWOd5i+6dL/HDWA9xvtlgPPGFR6jbj
tMOod6YYEb19pLBbmz7O
=vITu
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce