-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-15_03.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple XSS Vulnerabilities in the pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2015-03-05
Credits:        High-Tech Bridge Security Research Lab
Affects:        pfSense <= 2.2.1
Corrected:      2015-03-05 15:09:43 UTC (pfsense/master)
                2015-03-05 15:08:52 UTC (pfsense/RELENG_2_2, pfSense 2.2.1)

0.   Revision History

v1.0  2015-03-05 Initial release.

I.   Background

pfSense is a free network firewall distribution.  pfSense is based on the
FreeBSD operating system with a custom kernel and other changes. pfSense
includes third-party free software packages for additional functionality.
pfSense provides most of the functionality of common commercial firewalls,
and much more.

pfSense includes a web interface for the configuration of all included
components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux-
based firewall distributions, there is no need for any UNIX knowledge.  The
command line is never used, and there is no need to ever manually edit any
rule sets.

The majority of pfSense users have never installed or used a stock FreeBSD
system. Users familiar with commercial firewalls will quickly understand the
web interface. Users unfamiliar with commercial-grade firewalls may
encounter a short learning curve.

II.  Problem Description

Multiple Cross-Site Scripting (XSS) vulnerabilities were discovered in the
pfSense WebGUI.

* XSS via the "zone" parameter in status_captiveportal.php
* XSS via the "if" and "dragtable" parameters in /firewall_rules.php
* XSS via the "queue" parameter in firewall_shaper.php
* XSS via the "id" parameter in services_unbound_acls.php
* XSS via the "filterlogentries_time", "filterlogentries_sourceipaddress",
  "filterlogentries_sourceport", "filterlogentries_destinationipaddress",
  "filterlogentries_interfaces", "filterlogentries_destinationport",
  "filterlogentries_protocolflags" and "filterlogentries_qty" parameters
  on /diag_logs_filter.php


III. Impact

Due to the lack of proper encoding on the affected variables and pages,
arbitrary JavaScript can be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

- From the original report:
Input passed via the "zone" HTTP GET parameter to "/status_captiveportal.php"
script is not properly sanitized before being returned to the user. A remote
attacker can trick a logged-in administrator to open a specially crafted link
and execute arbitrary HTML and script code in browser in context of the
vulnerable website.

Input passed via the "if" and "dragtable" HTTP GET parameters to
"/firewall_rules.php" script is not properly sanitized before being returned to
the user. A remote attacker can trick a logged-in administrator to open a
specially crafted link and execute arbitrary HTML and script code in browser in
context of the vulnerable website.

Input passed via the "queue" HTTP GET parameter to "/firewall_shaper.php"
script is not properly sanitized before being returned to the user. A remote
attacker can trick a logged-in administrator to open a specially crafted link
and execute arbitrary HTML and script code in browser in context of the
vulnerable website.

Input passed via the "id" HTTP GET parameter to "/services_unbound_acls.php"
script is not properly sanitized before being returned to the user. A remote
attacker can trick a logged-in administrator to open a specially crafted link
and execute arbitrary HTML and script code in browser in context of the
vulnerable website.

Input passed via the "filterlogentries_time",
"filterlogentries_sourceipaddress", "filterlogentries_sourceport",
"filterlogentries_destinationipaddress", "filterlogentries_interfaces",
"filterlogentries_destinationport", "filterlogentries_protocolflags" and
"filterlogentries_qty" HTTP GET parameters to "/diag_logs_filter.php" script is
not properly sanitized before being returned to the user. A remote attacker can
trick a logged-in administrator to open a specially crafted link and execute
arbitrary HTML and script code in browser in context of the vulnerable website.

IV.  Workaround

No workaround is available. Upgrade to pfSense 2.2.1 or later which includes
fixes for these issues.

The risk of such attacks being triggered remotely may be lowered by not
using the same browser session for firewall management and general web
browsing.

V.   Solution

Upgrade to pfSense 2.2.1 upon its release. This may be performed in the
web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     44a06d7de570f3f3faea4d48647280b4b431fdc0
                                   c678ca656b66d2135277bbed1f890e84555f6a27
                                   e52c3c88cb63624f08cce977ca1f512c28b32f3c
                                   32787389519d667b94da5f0884d4bd1045d89838
                                   6d1db7eca805d632c12e794a52715e3d703fefc6
pfSense/RELENG_2_2                 d9295c2ef6b9dc55ad97d49b7069c32ee7fdd836
                                   c49db631492406ef03faf7df060318fbedfd83cb
                                   108be9a52933b4f77ee9d8488a90494f7c2bace0
                                   033663df4566d15942e235e422f4b6629ed1d1e0
                                   5ec3f37fcfeb08b6c69ce1c37937de7be9260b25
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-15_03.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJU+KtlAAoJEBO5h/2SFPjabVwQAI/1WwAkM3ocnO4hF4wnfVTS
fB9FovWmlFHHvC7XPspJ+a65ReKdmGgSWRO0tB0v8MBFFSbEiYWtAPY7t5IEZ6Dc
53jVrnOAng81jHJ37v/DCCU8OuK/Zhelf8Ctp3pv7v1ToNDKGhumAqVoKsac9BqF
2d/50hbHTIdvzzm5xlelUAA3vjKud2SYUvdJJkcJCnd2CC3B8bNC6yIezbBGbpkr
lg8RMRc8/tRfP5RN6G7aloPe0isORr+4u99oflbzYU/5pbpkXQ0NFEUJJcpkRgJU
Qh/eqKSMPLg3G6VyDwmZkVF4os0O+lk/VQgIkDciGdI/aSXG8yvoOvsEnDl86z0w
ZoyYztcZSy5bxeGIrhtmWa4ZPqWxrPURuJnDWlJiJhIoa6C6mI0yJiyPQ1SibCnd
E7Z840/9g1jEkLTI3kvgOs5aiVUwrV4Dm/mp5vEoKmB/Wf8BJo6Ss+jK0Q+OcJmg
k1lMrzytATL31X+qLlYcvhQDoLX9wNl1z7T1/geM5lufObGBRU4sezM7dYlb+pwQ
lz2/z6r6dNyJeAkjKUEMR6IIo3LSUpnxlDlmf+MLYeYsMWSS3cIQoWeqMbFMHbKq
+z98FReU9ZkodyOfD0eitOPTU3B229hS0f/BMYdQgtNis01g0SYalyvfWSG8fBJV
X5y0uU8YY3XuGsLR4xQc
=WJtO
-----END PGP SIGNATURE-----