-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-15_06.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple XSS Vulnerabilities in the pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2015-05-25
Credits:        Nicholas Starke, William Costa, Internal
Affects:        pfSense <= 2.2.2
Corrected:      2015-06-16 17:41:11 UTC (pfsense/master)
                2015-06-16 17:41:12 UTC (pfsense/RELENG_2_2, pfSense 2.2.3)

0.   Revision History

v1.0  2015-05-01 Added XSS from Nicholas Starke.
v2.0  2015-05-25 Added XSS from William Costa.
v3.0  2015-06-16 Additional XSS discoveries from Nicholas Starke and 
                 discoveries from an internal review.

I.   Background

pfSense is a free network firewall distribution.  pfSense is based on the
FreeBSD operating system with a custom kernel and other changes. pfSense
includes third-party free software packages for additional functionality.
pfSense provides most of the functionality of common commercial firewalls,
and much more.

pfSense includes a web interface for the configuration of all included
components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux-
based firewall distributions, there is no need for any UNIX knowledge.  The
command line is never used, and there is no need to ever manually edit any
rule sets.

The majority of pfSense users have never installed or used a stock FreeBSD
system. Users familiar with commercial firewalls will quickly understand the
web interface. Users unfamiliar with commercial-grade firewalls may
encounter a short learning curve.

II.  Problem Description

Multiple Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense
WebGUI.

* Stored XSS via the "descr" parameter in
  /usr/local/www/system_authservers.php (Found by Nicholas Starke)

* Stored XSS via the "proxypass" parameter in
  /usr/local/www/system_advanced_misc.php (Found by Nicholas Starke)

* Stored XSS via the "smtpport" parameter in
  /usr/local/www/system_advanced_notifications.php (Found by Nicholas Starke)

* Reflected XSS via the "zone" parameter in
  /usr/local/www/services_captiveportal_zones.php when deleting a zone
  (Found by William Costa)

* Reflected XSS via the "adaptiveend", "adaptivestart", "maximumstates",
    "maximumtableentries", and "aliasesresolveinterval" parameters in
  /usr/local/www/system_advanced_firewall.php (Found by Nicholas Starke)

* Reflected XSS via the "proxyurl", "proxyuser", and "proxyport" parameters in
  /usr/local/www/system_advanced_misc.php (Found by Nicholas Starke)

* Reflected XSS via the "srctrack", "use_mfs_tmp_size", "use_mfs_var_size"
    parameters in
  /usr/local/www/system_advanced_misc.php (Found internally)

* Reflected XSS via the "name", "notification_name", "ipaddress",
    "password", "smtpipaddress", "smtpport", "smtpfromaddress",
    "smtpnotifyemailaddress", "smtpusername", and "smtppassword" parameters in
  /usr/local/www/system_advanced_notifications.php (Found by Nicholas Starke)

* XSS via the "port", "snaplen", "count" parameters in
  /usr/local/www/diag_packet_capture.php (Found internally)

* XSS via the "pppoe_resethour", "pppoe_resetminute", "wpa_group_rekey",
  "wpa_gmk_rekey" parameters in
  /usr/local/www/interfaces.php (Found internally)

* XSS via the "pppoe_resethour", "pppoe_resetminute" parameters in
  /usr/local/www/interfaces_ppps_edit.php (Found internally)

* XSS via the "member" array parameter in
  /usr/local/www/interfaces_qinq_edit.php (Found internally)

* XSS via the "port", "retry" parameter in
  /usr/local/www/load_balancer_pool_edit.php (Found internally)

* XSS via the "pkgrepourl" parameter in
  /usr/local/www/pkg_mgr_settings.php (Found internally)

* XSS via the "zone" parameter in
  /usr/local/www/services_captiveportal.php (Found internally)

* XSS via the "port" parameter in
  /usr/local/www/services_dnsmasq.php (Found internally)

* XSS via the "server" array parameter in
  /usr/local/www/services_ntpd.php

* XSS via the "port" parameter in
  /usr/local/www/services_unbound.php (Found internally)

* XSS via the "cache_max_ttl", "cache_min_ttl" parameters in
  /usr/local/www/services_unbound_advanced.php (Found internally)

* XSS via the "sshport" parameter in
  /usr/local/www/system_advanced_admin.php (Found internally)

* XSS via the "id", "tunable", "descr", "value" parameters in
  /usr/local/www/system_advanced_sysctl.php (Found internally)

* XSS via the "firmwareurl", "repositoryurl", "branch" parameters in
  /usr/local/www/system_firmware_settings.php (Found internally)

* XSS via the "pfsyncpeerip", "synchronizetoip", "username", "passwordfld"
  parameters in
  /usr/local/www/system_hasync.php (Found internally)

* XSS via the "maxmss" parameter in
  /usr/local/www/vpn_ipsec_settings.php (Found internally)

* XSS via the "ntp_server1", "ntp_server2", "wins_server1", "wins_server2"
  parameters in
  /usr/local/www/vpn_openvpn_csc.php (Found internally)

* Multiple XSS issues were identified in obsolete/unused files. These have been
  removed:
  /usr/local/www/load_balancer_relay_action.php
  /usr/local/www/load_balancer_relay_action_edit.php
  /usr/local/www/load_balancer_relay_protocol.php
  /usr/local/www/load_balancer_relay_protocol_edit.php  (Found internally)

III. Impact

Due to the lack of proper encoding on the affected variables and pages,
arbitrary JavaScript can be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

IV.  Workaround

Upgrade to pfSense 2.2.3 or later which includes fixes for these issues.

To mitigate the problem on older releases, use one or more of the following:
* Limit access to the affected pages to trusted administrators only.

V.   Solution

Upgrade to pfSense 2.2.3. This may be performed in the web interface or from
the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     fd2526291a9672aa5119120495c03c4d357297f5
                                   7d2af3730d4a5a25bead4d284f1ba4da6daa24ad
                                   034620d62ae1026679da444f860f0467ca572eb4
                                   26b8101b4f2d39e2f342237f7fa11ef9cce4b5f8
                                   1cdfcaf40d8bf08f2e42837813f950415e1e3532
                                   ee3de7b191e3735b2d03a932809ed37e22e03177
                                   1cdfcaf40d8bf08f2e42837813f950415e1e3532
                                   3aef3ad0c052443b1801ec216e1e6f87a6d984a8
                                   2debaf5c34065aee52e4c095f4b120c5da518d3e
                                   b18d2108db73e33efd645ddee0e4a13b60347f8b
                                   5b8c4101b30939c02efc80164da8804ebafcfc51
                                   dd5ec20f053e7bb82fff3e90966182402e61438d
                                   f68e2f9f0fe76a0b23a43dd9106fcdadb1783b63
                                   05dea4b71f0ee7c7ec2484daefa54aa24cef4bb8
                                   f727f2570925017a89a5c780a973fa11730d623f
                                   b29a65a493695797472e5483c5cccc3583f42809
                                   55f6b38bca7721dc371d2d0df59a3fd5d8fa5eb7
                                   e08298127dbe3f00c0789f800d8ed38717e2d54c
                                   df6a9c6d7c187b9a8e382d6501e57b96864b9d3f
                                   a5e950ae272a9afda84f99d64152be53cba3b2be
                                   ab2fd59d63e0ae90da1ab47a844f1b628f2d0709
                                   84a2e91548687baab9c53b2d03cee65af95bf3a1
                                   c28a785ae98c4500f3550595366c272decb87847
                                   c28ab88c24a8829dc324963526a1c53a558aa1ab
pfSense/RELENG_2_2                 e29271f2fb7e3490942f9f32684524348b254a9b
                                   ac880ee72b4ff0859ef7473f0d96c1d9f98f0427
                                   2a1b44c96ed7b1249b31b536f510b14ebac2b472
                                   fd90a77fdf54204cf24b960b2e0b8549419be357
                                   6dbe58e1018b524d9085ac1a84eb6564d2adc955
                                   1a44770de93377392993c5baa76a69cdee02185d
                                   6dbe58e1018b524d9085ac1a84eb6564d2adc955
                                   621baeb604d1125e10222a70ba9a7efa85eff22b
                                   d213c48520c6d694e660b208340e4e632e153585
                                   5ef9708e4d1accdf1b1db7c6c2c8541178368f60
                                   7a29e654276017c3fe13bc1b3b274fd5ef1adffc
                                   e959a567e51112c61fea0bf86e593ff433336fd0
                                   9162143f1258f82c3b731370a8166a3ccaba6509
                                   f4bbd64dec0ba1b9bcf3b36d640f839dfebec348
                                   faa9164224d7b9929c4254c503d32394329e1a59
                                   1d92e91f9b22849cdf40771a39ec5c22a1022c7c
                                   3642b3489d0833c1206463e252e38ba200bf9c02
                                   d674c38db203d12e6000a16a410bcd74d4f744f8
                                   0ec282d48804947f953547b0b5f825e43a1e344d
                                   de5f0b6122f1c94c7d2cf4329d8bfd11429204c4
                                   e9885763437635426f1a8a563af74467f29f329a
                                   f128ee222472b05c9ba9f61abbf772518b926528
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-15_06.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVgH9rAAoJEBO5h/2SFPjaUDwQAL/JIc9imFTR42MPTafnBh2+
z76K2Ddu3tVL1NbhjONvluta9slGaBpZEasBDbJ98vuWGog7vNd6JmBFQXsxxtuJ
TwgprixehR0cl+Hzc1A/FH7xWcQNM+FcOi3d1+oYMtu3z7bUIYzxvJYRNfbgE7VV
sIsKnlIQWaLeMPuE9uv6+ZXULrzsMkKMdYuZgm+TFQFR4O2yyiwIIHM81aZM/rNx
oAwaDS+XtfkBNLoxG6FfyMEFthR1xqbw2+jX8BIpvWzNpRq0D9VaLDlO4yGA0Lb6
5nVlz/0WLMu1ckwEuSTqBvHPapLjwJSxCwYqQTWBNYR2UuCTkv7d1KmmocrHNFoi
3o6GG5DULZSS27yeVgAufwUER1q4rksm3GOg/OhznqP/C7woFJastNmQOLRa7Jy0
cHbmtYA/pZiTxNBJzqJaC+nqoGUkYV87vLySDPt4Y5pyVKS9VuebHb+oiGB9z9Qw
0y/SSoRSEwdXWSDD6up6sgtZm9+b9D1CkEphEi2POBnQ8M8/3DhfV0cnE+RN4IO2
oUUt9unGjupe7d/7Lkm800H32I13BhPK0elatdRSoY8BTtr2ukrA+JkCy1t3vEzh
w0ReZOnNbtirS07fqXot/zkBf3V5iX32a2jEoFqKCXFpkZnjuN1ISwn2t1nkkLAc
56F1vE/iGGITnyv+VYbc
=O9Em
-----END PGP SIGNATURE-----