-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-16_06.squid                                      Security Advisory
                                                                      pfSense

Topic:          Stored XSS in the pfSense squid package GUI

Category:       pfSense Package System
Module:         squid
Announced:      2016-06-09
Credits:        Remco Sprooten
Affects:        pfSense-pkg-squid versions < 0.4.18
Corrected:      2016-06-08 12:16:17 UTC (freebsd-ports/devel, pfSense 2.4.x pkg)
                2016-06-08 12:18:14 UTC (freebsd-ports/RELENG_2_3, 2.3.2 pkg)
                2016-06-08 12:18:28 UTC (freebsd-ports/RELENG_2_3_1, 2.3.1 pkg)
                2016-06-08 12:18:43 UTC (freebsd-ports/RELENG_2_3_0, 2.3 pkg)

0.   Revision History

v1.0  2016-06-09 Initial release

I.   Background

The pfSense® system is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense system includes third-party free software
packages for additional functionality, and provides most of the functionality
of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

Squid is an open source forward and reverse proxy daemon that can cache web
content, control access to HTTP resources, and can be extended to offer anti-
virus and filtering capabilities.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in squid_clwarn.php, part
of the squid package available for pfSense 2.3.1 and earlier versions. When the
ClamAV virus scanner feature is enabled, this file is utilized by squid for
displaying information about detected viruses and for logging information about
detected viruses. The data passed to squid_clwarn.php was not sanitized before
display, nor sanitized before being written to its log file. The log was also
displayed by squid_monitor_data.php without encoding.

III. Impact

Due to the lack of proper encoding on the affected variables and pages,
arbitrary JavaScript can be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.
Additionally, data could be hidden from the virus log depending on the invalid
input supplied to squid_clwarn.php.

IV.  Workaround

Upgrade the squid package on pfSense to 0.4.18 or later which includes fixes for
these issues.

To mitigate the problem on older releases, use one or more of the following:
* Restrict access to the web server on the firewall to trusted sources.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Upgrade the squid package on pfSense to 0.4.18 or later which includes fixes for
these issues.

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
freebsd-ports/devel                e99ba5ea416690285a4ab3e094c4b2c0fb20c735
                                   442b7dd6b6e3ff8976f88ab1f168d365cdebe520
freebsd-ports/RELENG_2_3           90bcaee8d8315e4026e2afed2ea7c6fdd55ffd20
                                   d581d14a7a88027655719c8ad3f9bed7c2f7585f
freebsd-ports/RELENG_2_3_1         408eb385c5696a271945226bb10c77dc2231793c
                                   e2a02e3773f33d0bd9f450ffb0d9cfd7215791b8
freebsd-ports/RELENG_2_3_0         e82ef1c5b43ab4fd1117966d0de881655958f1f3
                                   b301844cadcb2887c788be38eadc9b50ea5b8d52
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-16_06.squid.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXWczfAAoJEBO5h/2SFPjaIz8QAOb/Ebe6EXSNtl/C2mmBK6sS
86rFcpupoyIsTQcGleDM5MzcoLrgO1WNfQZgB7DlqZ9u5qK+PsNkegPBF89Pqw0c
QBl/inpi4ruJKGy9zOVRoG66U2QdIuACRmNhtyaxS1gsCasPTAtQke+pACkePJvH
nKy3btbjDzHOb0XDafmPSuRl1/05sttoiXH3lvRW214swRQ5Yn3tkxZs5ZpFK3YF
9NFyYaYILBLwMfvLhkFfP39C1rvFkvnXldgyUI3kgBXDBpbBXqJer7+/+J0wc2/R
pqy1MYGlwJ1go67Pvkwc5m0oE9Zs88O9cCPJBKwnBkiM3cctysbMSMgVLpzgQaRA
CkQO1YjNAlhKpODYswyhbFL1AY3P1/4zEea0tWANtS6IPDaqHeKNAtnNl4OPISO3
WZpr2HUvG5Ik77aiBvBmQxyr7ZGgibY60oH57Tm4ZCHEbQq/IJFWEGor3nK/7WYD
Wj+y2j2E/oqrRcRHdQMXvTBJX58+wEjzr5axera0usV8Le5ER0mMaPrLmyycz4Zl
TJG4hC17dmT9wjCGxcJS55tkUWdVFK3A4JthJRai6nWL2hKlWHkm4ArHGi23C3Yp
ukAX0g/3fwE2bt1xDsZKjqAX15RainjP5jz2kTYYdkWMOos+81H63KCE8ChPcjNH
oT1QwLEkHT9dum7gfPOS
=7Z/v
-----END PGP SIGNATURE-----