-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-15_10.captiveportal                              Security Advisory
                                                                      pfSense

Topic:          SQL Injection Vulnerability in the pfSense captive portal 
		logout

Category:       pfSense Base System
Module:         Captive Portal 
Announced:      2015-12-21
Credits:        Felix Wolfsteller
Affects:        pfSense <= 2.2.5
Corrected:      2015-12-02 (pfsense/master, pfSense 2.3)
                2015-12-02 (pfsense/RELENG_2_2, pfSense 2.2.6)

0.   Revision History

v1.0  2015-12-21 Initial release

I.   Background

The pfSense® system is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense system includes third-party free software
packages for additional functionality, and provides most of the functionality
of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

The sessionid in the captive portal logout function was not properly sanitized. 

III. Impact

Users on a local network with captive portal enabled can manipulate captive 
portal's session database with a specially crafted logout POST.

IV.  Workaround

Upgrade to pfSense 2.2.6 or later which includes a fix for this issue.

V.   Solution

Upgrade to pfSense 2.2.6. This may be performed in the web interface or from
the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master			   69c97c32f9e245ee12829939a1412b17866a4c0b
pfSense/RELENG_2_2                 43180e9c49b913b5c6361822d839d51074890c20
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-15_10.captiveportal.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWeHGzAAoJEBO5h/2SFPjaVMQQAKjBMHslhgm3jqkNfiTa8NnZ
DLcTSIAvuuj5p/zN6QdbFIBpPyH7Ru24ta79I9b4FClKwc874xKZXQvnNGhT2Vyx
+ZHq4lsDNc7jo2BUKtUoOcc8mjLeO0jhEOa3oRn9liWPN77KpJnSj92JnbDYRl/D
S9Stoe0bG2q+CrM7b1d5xVmEzgjK29bPYcNI+w9kMj7tVVbBkAr5XUIIunMn0I5m
donFNheGZWHoMza6vR6cI7Js58zhd6avMo5KgxoAAMwerwfdq2TLrOFu7uCo2mcu
bAF5wKMQYSKSCnIjdj64xhXhSBUrEt4nw+TOW7JRbFBvzVF/PxsRvrv/NJwuKB7C
kKjZQjgADT2nQrgGM0zAh5GZeszBGqx3ZbWhJao1vyEK9KFQ0VK7tBexxror2rcJ
bJP35GZigC+HqQS7/cSMeWVcOD4E2zBJzhjqJItLM/JrV1oMK0EyBTvZK98Hy4lL
FVPx0zcT4loHF7890DzqzRX23f4QiJDwXzhUKVaxzWI0bpjc+NDDF7txGI5jVUrW
D1V70+k2X7mZ5Y/tnW+REtEHatFfDGsb1wrFJoweCNJ1kuoVHKTNlGf6fb0708/b
Z3J5RAo/swTsNfqnKH/RExeYogR8Qs4axm3A7QuAIWd3iR5TRklVBysCmSzwlI4V
gJuwr7Y34KlWPRDBfakV
=F95q
-----END PGP SIGNATURE-----