-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-15_05.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple XSS Vulnerabilities in the pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2015-04-15
Credits:        Nicholas Starke, Internal
Affects:        pfSense <= 2.2.1
Corrected:      2015-03-31 13:09:26 UTC (pfsense/master)
                2015-03-31 13:26:55 UTC (pfsense/RELENG_2_2, pfSense 2.2.2)

0.   Revision History

v1.0  2015-04-15 Initial release.
v1.1  2015-05-26 Corrected "Affects" specification.

I.   Background

pfSense is a free network firewall distribution.  pfSense is based on the
FreeBSD operating system with a custom kernel and other changes. pfSense
includes third-party free software packages for additional functionality.
pfSense provides most of the functionality of common commercial firewalls,
and much more.

pfSense includes a web interface for the configuration of all included
components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux-
based firewall distributions, there is no need for any UNIX knowledge.  The
command line is never used, and there is no need to ever manually edit any
rule sets.

The majority of pfSense users have never installed or used a stock FreeBSD
system. Users familiar with commercial firewalls will quickly understand the
web interface. Users unfamiliar with commercial-grade firewalls may
encounter a short learning curve.

II.  Problem Description

Multiple Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense
WebGUI after receiving a tip from Nicholas Starke about
load_balancer_pool_edit.php which lead to further discoveries in related areas
during our internal investigation.

* Stored XSS via the "name" and "descr" parameters in
  /usr/local/www/load_balancer_pool_edit.php
* Stored XSS via the "name" and "descr" parameters in
  /usr/local/www/load_balancer_monitor_edit.php
* Stored XSS via the "monitor" parameter in
  /usr/local/www/load_balancer_pool.php
* Stored XSS via the "poolname" and "sitedown" parameters in
  /usr/local/www/load_balancer_virtual_server.php
* Stored XSS via the "name" parameter in
  /usr/local/www/load_balancer_virtual_server_edit.php
* Stored XSS via the configuration revision description in
  /usr/local/www/diag_confbak.php

III. Impact

Due to the lack of proper encoding on the affected variables and pages,
arbitrary JavaScript can be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

To take advantage of this vulnerability a user with privileges to edit the
values on the affected pages is required.

IV.  Workaround

Upgrade to pfSense 2.2.2 or later which includes fixes for these issues.

To mitigate the problem on older releases, use one or more of the following:
* Deny untrusted GUI users write access to the configuration using the
  "Deny Config Write" privilege.
* Limit access to the affected pages to trusted administrators only.

V.   Solution

Upgrade to pfSense 2.2.2. This may be performed in the web interface or from
the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     ddddf255b802e00a3408208f942a5d4049b6fd3a
                                   cb99d9918597ed40bf32010da2ce94faf7f37aa2
pfSense/RELENG_2_2                 05a463843a9dbb4901974f22fb361873adcaae4b
                                   08c1db2dbfd4dcbbfa58e7e12ba9dca32eeb5e69
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-15_05.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVZJweAAoJEBO5h/2SFPjaN4YP/2SFrzTUsu03KqA8gAQunWqL
ppoQvYnwCYiOCmsOgmuZauxu9EDWhByn2F/QehVmCpa1mBV3nYXXXsK7vcgHUs6c
hhN1yRMAHWymoQoqyjJK4WB3OPl+9SaqU2YHshQq87tg0K7TKC0zvwA2WtlDjKn2
RTeCE5b0QQ3oO88sgKKfBkQKg1Eo64hnuCNFOcH6OsMzoUinPe8FFvC09lY85uGh
dU8aT5Nodoknl0tAqMUAAXwrJpiPFhMeIA0CVuh0QX4hdp/HZthtC6PpU7nbIQOa
KVG/xmyuI3IVcwUxg/0LIG0NLsODkReq3BB3mDZ4le7F1O/gkpMUsBtrp8fbfeu4
P0SyVWawzcCd/ip37gLKdaM9E8LRSC1cwOUd9dYZ0l6f3N8VEdUVz9R7BJc6WFhb
GbuB2x9nuYpPzWBX9xLbkNGEK6aP71DOhlCgrRxI00k9ccG3bPw+ri3CO27i8AjW
3bHBFAV1JM/dKK8+mFRA2NmVPghe/mlBTsylF/WfjbOQ+Gvk+JhzqWYoIc8Tuanh
LfFjisF3+RCW7rHAsCtjhooAmlwAc3A0sGkPPfseD4S8uGbNRjZtOIy05L6iLYAJ
KrjQu4us36885Q+q2t0LtpX3DSg5f2+3ISXi6VwuV5E24gQhR1Tq2/s5pn/lpJTp
9AvdQTtySxis+xUyHfh1
=mu7Y
-----END PGP SIGNATURE-----