-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-14:03.webgui Security Advisory pfSense Topic: Reflected XSS Category: pfSense Base System Module: webgui Announced: 2014-04-04 Credits: William Costa Affects: pfSense <= 2.1 Corrected: 2014-03-12 13:42:49 UTC (pfsense/master) 2014-03-12 14:42:32 UTC (pfsense/RELENG_2_1, pfSense 2.1.1) CVE Name: Pending I. Background pfSense is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality. pfSense provides most of the functionality of common commercial firewalls, and many times more. pfSense includes a web interface for the configuration of all included components. Knowledge of FreeBSD is absolutely not necessary. Unlike some similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge, no need to use the command line for anything, and no need to ever manually edit any rule sets. In fact, the majority of pfSense users have never installed or used a stock FreeBSD system. Users familiar with commercial firewalls catch on to the web interface quickly, though there can be a learning curve for users not familiar with commercial-grade firewalls. II. Problem Description A reflected XSS attack is possible using the id paramter on vpn_pppoe_edit.php and other similar pages. This allows injection of arbitrary HTML or scripting code to be presented to the user's browser for execution. III. Impact If a user is logged into their firewall and they follow a link which points to an affected page on their firewall including an attack, they could be subjected to an XSS or other similar attack which relies on arbitrary injected code. IV. Workaround The issues can be mitigated by not using the same browser for firewall administration and general web browsing concurrently. V. Solution Perform one of the following: 1) Upgrade to pfSense 2.1.1 upon its release. This can be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide 2) To update your vulnerable system via a source code patch: Manually apply the changes from the following commits: pfSense 2.1.x: https://github.com/pfsense/pfsense/commit/ea44d3baafba7e53317604e5fd964e3839d0d6d5 https://github.com/pfsense/pfsense/commit/0e6cf71b17cc57c40aebc64359c1a27e2515b7b7 VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 49f3f28fea92114b09d3b2d8103398c4adcb3635 pfSense/master e41ec5848f21015068255c1d61d01edf442e8e7e pfSense/RELENG_2_1 ea44d3baafba7e53317604e5fd964e3839d0d6d5 pfSense/RELENG_2_1 0e6cf71b17cc57c40aebc64359c1a27e2515b7b7 - - ------------------------------------------------------------------------- VII. References CERT VU#959500 The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTYk/DAAoJEBO5h/2SFPjaJswQAJ942+Gt9LTb5wMvL3DIwhnT Zc1XOprgfnu0o8wvp0N8ynFfEgvAtKlSCkS3WE2NYAXDti2Kvn17i1A+byt10uVq 34E1vzKa7pjJEfpuz3ImgqjiPx7KHXkrD+jJ6veoBeM1GntLPRV0IQUVeCsuzxmY 966NhUDVvP6RnPN7sL8AfVNvDKd8GDpc/sGv1phJD38CKMYM/LaCnHpT9kQ9jOMq kFmqmehUxcLpqKPu55hqJXQuar3/B7REtj8VkE8XiVS3VPik7NS8sIo+cfA4rdOx xIdJVLbpXLxvfVlE9e+uwJS1+la6VuCS99AZ0+V3jRZ/CW4y5XcyMr6YwcUl1LRd luLL191/vWCvIHuytyVaJiJ7EY7aPgE6xD6HG17hooOdwBMSC0cXgm3/C7HVIb0d x0y9/2tliGHo+PA9M4mX8AZMIHwNZ4NOrhaaMACX6TDq/gHF0lXntfVh7sfuvQZk r67tNVaUjCaOUBPCmJGoziqOlYWyaYwZPyzQse8ltrPSlg0QlYMY8DHMuNN395R0 hNKQgVj7K9EwAbRYODoNCIgMqQNSt62xVKx8qExPTA3H+HcK7Qjts3uoF5T809Rs vTdVdA8qhYFl9y4CFcNwRGvF77nGtnRXFAU25IiNXEYSdhs6ga+pt2dZXrffRwRk Oa979rM8wcu93yGU8FZG =NDPM -----END PGP SIGNATURE-----