-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-17_08.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2017-11-14
Credits:        Quentin Rhoads-Herrera, Security Researcher
Affects:        pfSense software version 2.3.x < 2.3.5, 2.4.x <= 2.4.1
Corrected:      2017-10-27 20:52:31 UTC (pfSense/master, pfSense 2.4)
                2017-10-27 20:54:05 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5)

0.   Revision History

v1.0  2017-11-14 Initial SA draft
v1.1  2017-11-21 Updated 2.3.x affected version

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in diag_dns.php, a part of
the pfSense software WebGUI, on version 2.3.4 and earlier (2.3.x branch) and on
version 2.4.1 and earlier (2.4.x branch).

On diag_dns.php, the "hostname" parameter was being utilized without encoding in
a JavaScript variable which could be used as an XSS vector.

III. Impact

Due to the lack of proper encoding on the affected variable susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

IV.  Workaround

No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users of pfSense 2.4.x can upgrade to version 2.4.2 or later. This upgrade may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

Users running pfSense 2.3.x can upgrade to 2.3.5 or later.

   See https://www.netgate.com/blog/pfsense-2-3-5-release-now-available.html for
   special instructions on using the 2.3.x legacy Security/Errata branch.

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     43746e1b4ef6fec0e9c915495aa3926a6b97e7a3
                                   f32e9531ae21852ef0b21709b8278d1091d55d56
pfSense/RELENG_2_3_5               ab1a2d264941d1b1601d38bad2ac2ff4de6d4d81
                                   edc0092c7423d566d9e9d8f0dded63205c71b6f7
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_08.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJaFFbFAAoJEBO5h/2SFPja648QAJfQGoWUWGV5DsuM9HlWb9Zv
jRXbmvfqIlfPI6eUR28HNPpCt4uQWw2NNWViFFuTCc3uj4SC7FXIE3oRzj3iE11V
bEmNeRuA00x6qBHgo/iRwD07QNW7QC4vqZuScfjraQy6UiJVwcb8Jh4sDS9IDcWi
9f27qwbUheTT8dPxrbqCL7H9rKqCZKjZavGcVCv9f1cB8y5tYnsEuplNBJk+ZyYU
uUNzJor8/UA9yVRMYpq8HwNSaf2o7zddgLmh4gW65ds6gDrHYz1rFCUnCbICYNEZ
W/xaFecLJaI0W6ieNuMnKtUU4+EN3QJRf+NDyNOV+6F63wkLZkRe4pWlbzwgxEGv
7e/HCyKCCufnL0SUwH5m6cjisXw7C4FxnBv2UsbPHqXqsBzv8BY80bfzVtEcmQgV
Rd5B13AUxRefVP99yMUIVCmK2RefnZf/JNqbpJ9sQSPs0iC4PglKE8zdYGZTRCqT
T/TEDKKb0clz+pagPhbqSW4y2tIn7z8SU0EHOkiWfkyGcMMWeKtTlq/NPZmv/MbS
Tvw+2J59vVlXuen0X80BguVU7Wdtd3DuS0ZFjlYELoEc+H6JwNErswlEC/ZTrWVB
z9UESvw4dufJkyNWdEI+9zfFMKp4GWbG7K+HA/knZ7M2m9iIJdTDLcVuhxiai4a5
k4lgYPz0Fwt57JzQ1sv9
=fhRB
-----END PGP SIGNATURE-----