-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-17_05.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple XSS vulnerabilities in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2016-07-19
Credits:        Security Innovation, Inc
Affects:        pfSense software version <= 2.3.4
Corrected:      2017-06-16 19:24:38 UTC (pfSense/master, pfSense 2.4)
                2017-06-16 19:36:25 UTC (pfSense/RELENG_2_3, pfSense 2.3.5)
                2017-06-16 19:36:14 UTC (pfSense/RELENG_2_3_4, pfSense 2.3.4_x)

0.   Revision History

v1.0  2016-07-19 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

Cross-Site Scripting (XSS) vulnerabilities were found in three pages of the
pfSense software WebGUI on version 2.3.4 and earlier.

* On vendor/filebrowser/browser.php, which is part of the "Browse" function on
  diag_edit.php, the "filename" parameter can be used to trigger an XSS if a
  file exists with a specially-crafted name.

  In order to exploit this, a user must be able to write files with arbitrary
  names to the firewall and then coerce an administrator with GUI access to load
  that same file in diag_edit.php through the file browser.

* On firewall_nat_edit.php, the "interface" parameter was not validated on save,
  so a specially-crafted submission could store an interface with a name that
  could trigger an XSS through the dst_change() JavaScript function on the page.

* On diag_tables.php, the "type" parameter which contains the table name to
  display was not being validated against a list of current tables. The
  unvalidated parameter was submitted back via AJAX to load the invalid table,
  and was presented to the user unencoded.

III. Impact

Due to the lack of proper encoding on the affected variable susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

IV.  Workaround

No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Do not give firewall administrators access to pages or functions which allow
  writing arbitrary files to the firewall.
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Upgrade to pfSense software version 2.3.4-p1 or a later version. This upgrade
may be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     e90eaf31f079dc29187d1c08cfe88ceabc0786f4
                                   9c8540ca53f8258a44aaf13100d575b30ae77e65
                                   d0acfddd3afb11cb53aa13a00bf2f89b0a98ae4f
pfSense/RELENG_2_3                 bae3b2be97be0d1bee9c49244e3d7f1dcb03687f
                                   6c989d4ac23cfd7888d6881a3716875bb3298a07
                                   d6f20c329751e249d1066e0e3241e77a84dcc338
pfSense/RELENG_2_3_4               425174aef7ac56499d710316b3c23cf2e4ac7947
                                   e243e3253393a20ae0ac442b58438075d46f6b16
                                   5ca16d84d21d4551a090176090dc1cf7248431a5
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_05.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZbmS8AAoJEBO5h/2SFPjaruwP/3tckvezsB1cvL+rxs+fkOwk
aHsfDYgPkEeKThTsW6jDbIvzXLWgdpa3op7b8Vzakm06o7nVNTEXamYxxLWlrZ0g
rNyBxPG88G7Q20EAlXsumgNDWy9dCXmoEIaGDA67jiDFazP49csdOcUoS/5Cu7EJ
4/8IPWZvcwUucGbgfYEzzkshiGGM3RbWOXiLOwJfxXVsK5H9xTbbgIAXNLXM0P1I
gng0oxQb/XHWtMCOsr3N4swAHoQC/7yRSs0l0y2enY15i1zCGkyNrRhg2oj3AL55
6bnP9OmuVamh6ulnnH7eg8k6cUFBsygvIssuUiPSHz473hOtv3KTZfM2nrnvYdhh
BAzzgeYF0HZP62m7nu2GUWTzhSRpQIunAkJLDMfuN0MsoCrtF9jQlH6wo/E4Aaji
55PhJoRnlHYsRVpWhWnv9bZEQVQ0+qUphEwLgnwT+cfTkuseFn3i88OkZLqGNhf+
iUfisDszH20WyOn6xoIpmauB/y3g0LyQE0CD1Y/V3HxqnU6RqibnjiPsSz4bvIMm
r9NCXQ0jkkr4VCQXNhv84hTTtejIcuk0RSwJJR9CXLfcal2pk9eH5VZGoolIz64b
hjtJc4ExQN8VewukHtLFvr9lFdwF8S4MbW6JlaAEgyNHTxSxeqYqhJyOt5sHUoK7
S/pqBUi1yMIXSEOinIlW
=7IsT
-----END PGP SIGNATURE-----