-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-15_11.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple XSS and CSRF Vulnerabilities in the pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2015-12-21
Credits:        Security Innovations
                Internal
Affects:        pfSense <= 2.2.5
Corrected:      2015-12-21 15:46:43 UTC (pfsense/master, pfSense 2.3)
                2015-12-21 20:37:25 UTC (pfsense/RELENG_2_2, pfSense 2.2.6)

0.   Revision History

v1.0  2015-12-21 Initial release

I.   Background

The pfSense® system is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense system includes third-party free software
packages for additional functionality, and provides most of the functionality
of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

Multiple Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense
WebGUI, and one CSRF issue.

The "DNS Servers" fields on system.php were validated but not encoded before
display. A bad value entered into a field was put back in the field unencoded
while displaying input validation errors, resulting in a reflected XSS. The
value was not stored.

The "bandwidth" and "qlimit" fields on firewall_shaper.php were validated but
not encoded before display. A bad value entered into a field was put back in the
field unencoded while displaying input validation errors, resulting in a
reflected XSS. The value was not stored.

On status_gateways.php and system_gateways.php, some stored gateway parameters
such as the Description were being printed without encoding, leading to a
potential stored XSS under some conditions.

The page diag_backup.php had CSRF checking disabled for all functions, including
the restore function. As a result, a specially crafted attacker page could cause
a logged-in administrator to upload a config.xml crafted by the attacker.

III. Impact

Due to the lack of proper encoding on the affected variables and pages,
arbitrary JavaScript can be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

On diag_backup.php, the firewall configuration could be altered or replaced if
the administrator could be tricked into loading a specially crafted page while
also logged into the firewall with the same browser session.

IV.  Workaround

Upgrade to pfSense 2.2.6 or later which includes fixes for these issues.

To mitigate the problem on older releases, use one or more of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Upgrade to pfSense 2.2.6. This may be performed in the web interface or from
the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     8ebf884f82c80f8623bfba2a37aef3cf7079ed79
                                   69560def1623424ba91f41847b6f57d0e84cfa7a
pfSense/RELENG_2_2                 d83a4dfcdb0f61f4d7311c42e917f27691834a84
                                   49e83995cef02354b39a506a3bc0feb469cb5637
                                   3643958c95913d83a3417924f67517e6b2b41ff7
                                   392796a4610568932ab051b9e33bcd25716d80dc
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-15_11.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWeHG0AAoJEBO5h/2SFPjalu0QAJQpoRIpDayXb/mdQZ6XlugU
idyl1/u7fJbMihcRhvMNLJ8tLCUn7iGXQdTq/TenZx7WTmmkbHnfMwDPN3PKS/3i
8hLBdTv2fNsC+r84LsUvAzGASby1hKF3drLBcGYnalP18JGbxwhBPMVNBkuWLhIl
nS7ws4ZqSCy+3vb5ljG8qQsLq/hpvIEh3Mdt4mNUcMxq2jUmKTpkUCT4GZ9Hp01i
A7CofXdZBB5dy0m6E4gahXE7VjdEWXL4vo9UScIOjbQLjlg97oZDfrKczE5b0wer
cPSz/Kn73S4jEXGhXBpJYarc4Bq3XsXr8A5wwy9Sipt8ySJqG2uxdQexMBTpXhER
xdKI6MIYkwYNcrXnRsqvGJx7OTipdVOfYYFr+OInLotrkudnoCzaOM5qjIafGkLo
PbUYnb9r5bNLPrpuQMy8GeI7cKbrFaoqjQLl9049xu9X4kj8KnUtopTZkpOzyWmc
TXsfhBjJdbLV7CjPm18axHaeZQyxkNpTqkeD+AahgWij3ukfqX/++SpTB5p1YRYp
ZieYUzfAfXFbXIl1jULYItTldBG8Jyb5SPHjPzlgrQ7jpcSF5E/h2+zSq3cDvLQn
ddjkDERVYMbSlisldjd0N7Goj12HcQmFkA5WsdGu6cYFNu5sNbSDVZ6x4ALNbJuN
WBS1VLmf6TcLISWsBLZ3
=Eqmu
-----END PGP SIGNATURE-----