-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-17_01.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple Captive Portal XSS vulnerabilities in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2016-12-17
Credits:        yanncam via Github https://github.com/pfsense/pfsense/pull/3288
Affects:        pfSense software version <= 2.3.2_1
Corrected:      2016-12-18 04:01:33 UTC (pfSense/master, pfSense 2.4)
                2016-12-18 04:08:05 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2016-12-18 04:08:20 UTC (pfSense/RELENG_2_3_2, pfSense 2.3.2_x)

0.   Revision History

v1.2  2017-02-10 Updated release information, changed SA ID
v1.1  2016-12-18 Initial SA draft
v1.0  2016-12-17 Initial public report

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

Multiple Cross-Site Scripting (XSS) vulnerabilities were found in the Captive
Portal area of the pfSense software WebGUI on version 2.3.2_1 and earlier.

List of parameters vulnerable to reflected XSS:
* status_captiveportal.php: "order", "zone"
* status_captiveportal_expire.php: "zone"
* status_captiveportal_test.php: "zone"
* status_captiveportal_voucher_rolls.php: "zone"
* status_captiveportal_vouchers.php: "zone"

III. Impact

Due to the lack of proper encoding on the affected variables and pages
succeptible to XSS, arbitrary JavaScript can be executed in the user's browser.
The user's session cookie or other information from the session may be
compromised.

IV.  Workaround

To mitigate the problem on older releases, use one or more of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Upgrade to version 2.3.3 of the pfSense software, or a later version. This may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     ac90c9012453c7e81ff0d0b472a55b116866c56e
                                   e12b438b9c19e9dc3009344c487bd2bf72adb831
pfSense/RELENG_2_3                 c31fb7b0fa074e0ec2924b860f3c6cfb32b2d391
                                   a6a158e91eb64393e2a9cc9d0877fcfae03390a1
pfSense/RELENG_2_3_2               1992d9f946e7a14667ee95362a85c1e4a473da16
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_01.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYnd2CAAoJEBO5h/2SFPjaOeUP/1oZnZ4oYdaU2kH2AzcWsFaP
yQ9DafvC2eDWB2RrPEHVP2wrghw5+Y/FaJs1BpvY9jIbY0PSRLcnJ/88BI2mg54I
Ee1oenrGHIXC4ZoE8jtkAyWtfpcx/GwU2CatVZ2YnBj8ysVlVyPUm4XzOCqWyP4t
VW+imUHuBtK+OhA358a/0l2qYx9NXhOGJ3Dh+Ps4zm/tMBQanz7z/DH8bd+dbC9n
lySLR7dcSmi30brgbKwUMhSnTOf1Jyo4hD9rchtfVIGFbYborzKvqj92BpUKf1sO
i79bOb/y96+NZ4yBgZO4NOp0fJa0NzPWOU66iIJmBt4xLet/J+eEeiz7qrRMq42s
V7SpGzXeeejrzqBQimhgliLytKWpHtNnwbY/GDv/JOiLTvOaXdkj14m+agMFXOxc
T5+7g5YpiiGajOHOb+wjLzfqWC9MPWx9+dRubklzBbpWtE2KY0JTQnKy+H79Upal
6hnXap+C1FF3Vd9Q6LIYNtU7RPHycNq5/y/C8cBE+k6+/50UbmXaAueSSpAM4J1+
Q3MDQjzFPmLGMrgYczqyT3HjSaHqKtoa0dH4dkcz92OWwyK5rK3hG/cq12BXaQIQ
EGuFCHFbovfsSalY71Nm5jyfRCkFAWSucML2kc21xeup8OKJn1y2+Y/ielZ50G/T
aBthP+0/VHovmt4HBTFr
=F/b6
-----END PGP SIGNATURE-----