-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


=============================================================================
pfSense-SA-15_01.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple Cross-Site Request Forgery protection bypass
                vulnerabilities in the pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2015-01-23
Credits:        Nicholas Starke
				Alain Homewood (PricewaterhouseCoopers New Zealand)
Affects:        pfSense <= 2.1.5
Corrected:      2015-01-23 (2.2-RELEASE)

0.   Revision History

v1.0  2015-01-23 Initial release.

I.   Background

pfSense is a free network firewall distribution.  pfSense is based on the
FreeBSD operating system with a custom kernel and other changes. pfSense
includes third-party free software packages for additional functionality.
pfSense provides most of the functionality of common commercial firewalls,
and much more.

pfSense includes a web interface for the configuration of all included
components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux-
based firewall distributions, there is no need for any UNIX knowledge.  The
command line is never used, and there is no need to ever manually edit any
rule sets.

The majority of pfSense users have never installed or used a stock FreeBSD
system. Users familiar with commercial firewalls will quickly understand the
web interface. Users unfamiliar with commercial-grade firewalls may
encounter a short learning curve.

II.  Problem Description

Multiple Cross-Site Scripting vulnerabilities were discovered in the pfSense 
WebGUI during a security audit.

* Multiple XSS in System > Advanced, Notifications page. 
* XSS in captive portal status widget
* XSS in edit.php 

III. Impact

Due to the lack of encoding on the affected actions and pages, an attacker 
could cause an administrator's browser session to trigger an unwanted 
action by getting them to browse to a crafted URL.

IV.  Workaround

No workaround is available. Upgrade to pfSense 2.2 or later which includes
fixes for these issues.

The risk of such attacks being triggered remotely may be lowered by not
using the same browser session for firewall management and general web
browsing.

V.   Solution

Upgrade to pfSense 2.2 release. This may be performed in the web interface 
or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-15_01.webgui.txt>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUwwHXAAoJEBO5h/2SFPjaHjwQAMubGltwuzMPIndz6Jz4LVZ5
4hRyqskIATNHnbJZd/lCer8+L/cjBRnP2kcN8vmhsrWlh8FMOJuXinglFjuE7g73
FtnvwloDDv4u70Et9NW6mriaqcm4Ww/qYPIFiMd7AUN+FKDA9EZV520tR580+8iO
KslvZHxf4hVoA4pURxE2kZxFqThaouWKQmA7zrp/hfsSbQT+kfjycTE3gJkFi69r
+X++VfqlAHYkBbMHSr4YWejV3AmLI9CnJp8mkvknnT1tFdpi699PErwLV5PRezfe
bZ4sT80lN5yavByIxS0hnPx250MIvEvZnG+nU+/FVFYm5v168rJ0iBI7D0Ecb/Mu
2qTbw186yAhr01vSJaktkkhAh1/4ofbWC66kIIOp8MFtK448Vq3mOJDp7JJIeZu4
VHEB7GkDiJgF7c0kojieiY6+aU+wiV1URTzEOlJOV+62xSUdKhjfjwLHgl/z2Ikt
DLJbwKtw3gMyAr/IsWx6rb1hIoXyYtdiddKjFvPAAVzndV2C8+7jFouO+iJGJ322
P4+aEcXVrZsnI8QXeoCzf/OXrrPi+BB/PwdF0hX5wGgylaFVfop6l4HmUsYtyfDf
ejGeNwQQQ2e7WlGBPIHCOB6Gqq0tuqy1Apol+jEK3IJzoJnSw+NU2eC/BCQ+Jzb+
L6GeOtE3autiWPnz94U0
=8F8K
-----END PGP SIGNATURE-----