-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-15_04.webgui Security Advisory pfSense Topic: Arbitrary file deletion vulnerability in the pfSense WebGUI Category: pfSense Base System Module: webgui Announced: 2015-03-05 Credits: High-Tech Bridge Security Research Lab Affects: pfSense <= 2.2.1 Corrected: 2015-03-05 14:01:05 UTC (pfsense/master) 2015-03-05 14:00:18 UTC (pfsense/RELENG_2_2, pfSense 2.2.1) 0. Revision History v1.0 2015-03-05 Initial release. I. Background pfSense is a free network firewall distribution. pfSense is based on the FreeBSD operating system with a custom kernel and other changes. pfSense includes third-party free software packages for additional functionality. pfSense provides most of the functionality of common commercial firewalls, and much more. pfSense includes a web interface for the configuration of all included components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux- based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. The majority of pfSense users have never installed or used a stock FreeBSD system. Users familiar with commercial firewalls will quickly understand the web interface. Users unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A vulnerability was discovered in the pfSense WebGUI that could lead to arbitrary file deletion. Insufficient validation of the HTTP request origin and the "deletefile" HTTP GET parameter in the "/system_firmware_restorefullbackup.php" script can lead to arbitrary file deletion. A remote attacker can trick a log-in administrator into visiting a malicious page with CSRF exploit and delete arbitrary files on the target system with root privileges. III. Impact Due to the lack of validation on the affected actions and pages, a CSRF attack could executed in the user's browser to trigger an unwanted action. Loading the "/system_firmware_restorefullbackup.php" page with the "deletefile" HTTP GET parameter defined deletes the specified file without CSRF protection, sanitizing the path, or other verification. Passing a relative path in the variable would allow deletion of an arbitrary file. IV. Workaround No workaround is available. Upgrade to pfSense 2.2.1 or later which includes fixes for these issues. The risk of such attacks being triggered remotely may be lowered by not using the same browser session for firewall management and general web browsing. V. Solution Upgrade to pfSense 2.2.1 upon its release. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master eae1fb1df242d8cc492796890c0d29fc599f76f7 pfSense/RELENG_2_2 707ed023f41ccd9a081f56b444f85022af8c7e2a - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJU+KtmAAoJEBO5h/2SFPjavXsP/RpCh/j/myK9hBrxCcTgA6/H yHMELzy+8Z9Gx11JWa5uIGl2/Hs0wFadHvrv8SGbjC6rz08YzgrBHKCGtBMfty87 yfshu+WGt7gWRO8IfjtBDHoBy5P0Aqe8yapcYb4zAaHlIG2ULEn5JDyLCNETNKk0 U/A7sxTp4ZZV14ISwXzaQz4broKFngQFyX7KvuFw6KXqOH2Upyhy110kDksKqbPr Fz85/bFr805B6FqZJbVW8C9cs9n6YOA7CAII9xJ4vRTVtQw9pxykrFo1w7MwZcTt s7foGg2s1o+XAUQxnRN8t8cHEbcuzYtMNroeGtLTSEvjMNXUajvKXCsGrGmhPDUD 8c8SFCuDO9sJ0nx0frPUPbrjTcxvhaUeu0aaH4yaSac2N07d4hkOZe0AAt1M/Uo5 XWNrmaTn+h9Sa1nIQFz7zWpGLjf6KSI4prVYz1WmWA3pqJ0Nd5kERPaZmD6OCeJr w05LPDzND1rcpuinpYRv0ZKpSylYzVAGPuDzixTwzzThVCjm0lCtpo3gA9Um8EIh qFm+31GxqTf6yIfmoBAyfCUs953OFQSbrwnMVs5F2FsGVU22KZ/mDrwQS3diU9Q6 5wAp9r5mMycsRFFzQdPtQSm04wBiaGLsRV3RJo1gf52f44r3vCdibCKHuf36mG+L iAz0h0A/uzzhu3fKujj2 =eTH8 -----END PGP SIGNATURE-----