-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-18_01.packages                                   Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in Status Monitoring base package

Category:       pfSense Base Packages
Module:         Status_Monitoring
Announced:      2018-01-12
Credits:        Cody Sixteen
Affects:        Status_Monitoring base package < 1.6.5 and 1.7.x < 1.7.6
Corrected:      2018-01-10 21:02:46 UTC
                   FreeBSD-ports/devel, v1.7.6 for pfSense 2.4.3 snapshots
                2018-01-10 21:02:46 UTC
                   FreeBSD-ports/RELENG_2_4_1, v1.7.6 for pfSense 2.4.2-RELEASE-p1
                2018-01-10 21:31:18 UTC
                   FreeBSD-ports/RELENG_2_3, v1.6.5 for pfSense 2.3.6 snapshots
                2018-01-10 21:31:18 UTC
                   FreeBSD-ports/RELENG_2_3_5, v1.6.5 for pfSense 2.3.5-RELEASE-p1

0.   Revision History

v1.0  2018-01-12 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in the 'left' and 'right'
parameters of rrd_fetch_json.php and subsequent output on status_monitoring.php
which are a part of the Status_Monitoring package included in the base
installation of pfSense software.

If a malicious client POSTs a 'right' or 'left' parameter to rrd_fetch_json.php
containing HTML, it is passed back to the client without encoding. Additionally,
status_monitoring.php displays the errors from rrd_fetch_json.php without
encoding.

III. Impact

Due to the lack of proper encoding on the affected variable susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

IV.  Workaround

No workaround.

V.   Solution

Upgrade to pfSense software version 2.4.3-RELEASE or another corrected version.
This upgrade may be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

Rather than a full upgrade, the Status_Monitoring package may be upgraded on
its own without performing a full upgrade. Run the following commands at a
shell prompt as root (directly or using sudo):

  pkg update -f
  pkg upgrade -y pfSense-Status_Monitoring

No reboot is required after performing the manual package update.

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - - -------------------------------------------------------------------------
FreeBSD-ports/devel                795d66877be73bd2d111ccc79f9ad0f5a8467de7
FreeBSD-ports/RELENG_2_4_2         350da5e82523165e11344f98b7566c4233b5338b
FreeBSD-ports/RELENG_2_3           054317c3e0188b2006d6bd2fb1c5998405e53ec1
                                   833d2d2ef2bca9109624fcce03ef7d4e265ca86e
FreeBSD-ports/RELENG_2_3_5         40e2e568226f8e72d5b359575fb38d90a7e1a431
                                   9d6359520574022365a9294bf2bfa47a2a2d0c20
- - - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-18_01.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJaWMsyAAoJEBO5h/2SFPjasrIP/2yeo1KdhXM4GM8MHcAuC13p
miKSRcXGABT+RBaQFuuSF5boH5qwuM6StujetSS7sV2QKPkHKhycduGzqS3a8irf
Q1yk30srgdJzzgrVWJeZmEGBTx9x+/6r+UmjNXm3EI10pAEs/CwHaUeWEDYgNZRG
l37fAsVYfbZ+THZRPHeZN4ci2w42d1AtJ3QWkFKe3UcE7zLsfGvPBkZH4FKYDnfu
dQa1CDMW2iW1JKRZdYoMERRR+15eW8XP1ScBdscFZlPtrOY6hjnsiajutO23TUV1
7teQ2YLnLB1w7p7rDvZylbsLJg3d4+tEP5iIVcIZt+26KH56/5rZdt4aFmanbRyw
eTkTE3oAtiYpjBSEdz//Tt8hE9/rv5JBtdpTxCtMu1s+YNv+6zLXDj3jOOc1rm8m
ogZJUrxLN3EfOU0vPlezKOtsqdptz5GG6IYYt1gx+v4Jelr90yQM5VYBXfWzlYFJ
gsyYdc2njc0n6vfNZjvVJ4yptNcsaPY5nNBcWbTU6kU+yruptU29kz6lHaXnAMVq
NtA72hanQxMhvpP9FCQ/UkmfFr3//arrGDNnR9DIRAutDFpSyGQmun0ab2cLxnNf
HJ9/t0fz+ajw2oUjrBTuxdpU+OIq3CbP7f4FuJ1YkiAaOB9KKiN3qsQkf0Iq1px0
JewysDWuqtCLPZHimkQk
=QRqu
-----END PGP SIGNATURE-----