-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-14_16.webgui Security Advisory pfSense Topic: Multiple XSS Vulnerabilities in the pfSense WebGUI Category: pfSense Base System Module: webgui Announced: 2014-08-08 Credits: Stefan Horlacher, Arcus Security GmbH Affects: pfSense <= 2.1.4 Corrected: 2014-08-06 19:57:05 UTC (pfsense/master) 2014-08-06 19:53:29 UTC (pfsense/RELENG_2_1, pfSense 2.1.5) CVE Name: CVE-2014-6306 0. Revision History v1.0 2014-08-08 Initial release. v1.1 2015-06-01 Added CVE ID. I. Background pfSense is a free network firewall distribution. pfSense is based on the FreeBSD operating system with a custom kernel and other changes. pfSense includes third-party free software packages for additional functionality. pfSense provides most of the functionality of common commercial firewalls, and much more. pfSense includes a web interface for the configuration of all included components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux- based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. The majority of pfSense users have never installed or used a stock FreeBSD system. Users familiar with commercial firewalls will quickly understand the web interface. Users unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Multiple Persistent Cross-Site Scripting (XSS) vulnerabilities were discovered in the pfSense WebGUI during a security audit. * Persistent XSS in firewall_aliases_edit.php * Persistent XSS in firewall_virtual_ip_edit.php / services_ntpd.php + interfaces_gre_edit.php and interfaces_gif_edit.php III. Impact Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. Characters sent via POST in the "detail" variable on firewall_aliases_edit.php are not properly encoded and the value is saved in the firewall configuration. The "descr" parameter for a Virtual IP address on firewall_virtual_ip_edit.php script is not properly validated or sanitized before display on certain pages and its value is stored in the firewall configuration. IV. Workaround No workaround is available. Upgrade to pfSense 2.1.5 or later which includes fixes for these issues. The risk of such attacks being triggered remotely may be lowered by not using the same browser session for firewall management and general web browsing. V. Solution Upgrade to pfSense 2.1.5 upon its release. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 92ca4bc3b4d217a8303ff1ac95eb539ba84727e4 c3e7784158a020f9fbfb4cb87be8a54ab77f1664 88c24958a9625d2daa55adb2bb685c70ec9d6eba pfSense/RELENG_2_1 2276d7431996456f3b6bbeffebc5c76ac873f8c5 bf2fb3db04c8724dec8eba8fd29dbb507da67655 978c71d28ffb108c91f9b4ae79f225780d574308 - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVbGrmAAoJEBO5h/2SFPjaWuQP/0GOETl4qxE2nHw887SQVbLK O12qVdZcgHH6kifFCYDwGYercxNuiuLSYzdrtW9YX9+ddTR0nl902Q4x2BxW0CtF UUsDDZCyBFdFU+u2+RVKr3wVDCV1etmp1/NlWDbV4YWnQfOigFy3865VzguBAwip zVf3k4shGGBYdlQj28PnQLUwmlPKwpK+XVK8w501l6otTmqwf3CjLTVFq8kCEsHK ESw9oia8g+cgmGgHolndzx3cy1orig8WkvuqUx9a7O3+36gzf4fZ+1kTffdEAQmp u8z+0yw4gYTQznhBaFRTIJRABFhm+T+LDWfSiThQvvz2mp8qySsQL+Ol/XCUoa4u PASnLLOdvq9gLPMMaOAoZ1UeOlaahWZEWYyi14UT2yDr8Bk4uYkBy5tKkIlFyeuM kEE2Bno7qxw66SQ7Fcyb/QEvcqc1ptCr9uSjUSMKIV0XVR1hIs7g9jwEEk1WldeQ nZnhGoa+v0e4WZmM+uLH0pBWTDjl60wy5RxlrZFnkg6CW4hHNzIloFCBC9AJHw/V tz6aGv3swEF9gqf1aG44OhW7d/qqWjgPBLvvlV1ZDe+QJcbmo0DfXbw5wtkpM5Ej Q2Pffy3LtPBe/AzG//i8l41ADwzVLTw55wlHlCT8TE1WKUm0e294p7t7OwVj/cwC F86jnXgIrvIB7RpdvpAb =ZCKp -----END PGP SIGNATURE-----