-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-17_11.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2017-12-04
Credits:        Internal
Affects:        pfSense software version 2.3.x <= 2.3.5, 2.4.x <= 2.4.2
Corrected:      2017-11-28 21:28:49 UTC (pfSense/master, pfSense 2.4)
                2017-11-28 21:30:32 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x)
                2017-11-28 21:39:08 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2017-11-28 21:41:23 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x)

0.   Revision History

v1.0  2017-12-04 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in
status_filter_reload.php, a part of the pfSense software WebGUI, on version
2.3.5 and earlier (2.3.x branch) and on version 2.4.2 and earlier (2.4.x
branch).

On status_filter_reload.php, the "user" parameter was being utilized without
encoding in JavaScript which could be used as an XSS vector.

III. Impact

Due to the lack of proper encoding on the affected variable susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

IV.  Workaround

No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users of pfSense 2.4.x can upgrade to version 2.4.2-p1 or later. This upgrade
may be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

Users running pfSense 2.3.x can upgrade to 2.3.5-p1 or later.

   See https://www.netgate.com/blog/pfsense-2-3-5-release-now-available.html for
   special instructions on using the 2.3.x legacy Security/Errata branch.

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     82b1d76f934d793fe681c9c80da1a8e32cefc1f5
pfSense/RELENG_2_4_2               fea5a8af2c802033b7df2e398ccada544304aa35
pfSense/RELENG_2_3                 11b3b8e6edbeb71a93f6b6f02b62fb682386355d
pfSense/RELENG_2_3_5               36ca9be2d0c3bf01b3fd6fa0f4aa598803815b56
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_11.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJaMq8RAAoJEBO5h/2SFPja7yQQAKf9O1qoR4OxF3ofaWv3FloF
0oK8T7AzAUXBv6EXlCrbQOH76bTHRI3o0Uy8BshydJDzJFBK3V2eF0FjicrpHNH1
xy+uscnCVFm2DHK9tyr5rcb16O2Dwz7xO1O7vizRPB3ufcdRvMW6H/TFJdY0H9nw
B21Ztj3v5SxWB53rTyn2OaFa7u6dDihzSaCtoDJcSIso7r4fxuNtfyL/ja9klrd+
NZ67FvSsW0UzOd0AQaKEPmNb3g8VrFs5J5Y/bLjvRGLMbdVgOdPamwndMA4jZpoa
WRN5YTWJ/qn4lsux7fXcujfCzGIMpGzqNM0Yr9+fPklPHqxe/tqkQi5XZRSb78+j
ijC26BQkAIKDYa1a8fgH99slX6dqL0cPgs9CK+gv5hCbgPmLYiRnUlQxoxutbV96
aNkH9Aq5GDLIYAxLPjRObNBUnvECJ6ZVR464rXUab6YnKjb1IfIn3GRnMlsQuixr
zRN+TDtkvDMPI/5TYlz99YBPbtt0obI8pThtnCFentnET23//iFOBo7PPF6EMoif
2qCvuCIfIEFWAdo7jQZsYkdUyokqBa/in/wdtNiQnQFylvl4pDq7KzJ4EmJi3Os/
Vp7Eg/ojzOA/qNrP4AM9iV4c1RlLergd/qC/8Jv9PM7sDrvd4AFwErRhEP6ZKnX8
63TsfeK8Dr9nqmVwtcnw
=DGcR
-----END PGP SIGNATURE-----