-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-18_02.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2018-01-29
Credits:        Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc.
Affects:        pfSense software version 2.3.x <= 2.3.5-p1, 2.4.x <= 2.4.2-p1
Corrected:      2018-01-29 17:24:25 UTC (pfSense/master, pfSense 2.4.3)
                2018-01-29 17:24:25 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x)
                2018-01-29 17:24:25 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2018-01-29 17:24:25 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x)

0.   Revision History

v1.0  2018-01-29 Initial SA draft
v1.1  2018-05-02 Added 2.3.5_2 version information and fixed year in correction
                 timestamps.

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in
diag_system_activity.php, a part of the pfSense software WebGUI, on version
2.3.5-p1 and earlier (2.3.x branch) and on version 2.4.2-p1 and earlier (2.4.x
branch).

On diag_system_activity.php, the output of the "top" command was printed to the
user without encoding, which could be used as an XSS vector.

III. Impact

Due to the lack of proper encoding on the affected output susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

Exploiting this requires that the attacker already have sufficient access to the
firewall to run arbitrary processes at the command prompt (console or ssh) or
via diag_command.php, which makes this attack impractical, but the possibility
remains that such a process could be triggered by other means.

IV.  Workaround

No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users of pfSense 2.4.x can upgrade to version 2.4.3 or later. This upgrade may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

Users running pfSense 2.3.x can upgrade to version 2.3.5_2.

   See https://www.netgate.com/blog/pfsense-2-3-5-release-now-available.html for
   special instructions on using the 2.3.x legacy Security/Errata branch.

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     c083e1e49af4902d15173d412feebd8b86a616ee
pfSense/RELENG_2_4_2               bd866431ba009f0ffbb0cad18e156dfd3017dbb7
pfSense/RELENG_2_3                 834ac053f1df4effcb70aa82bef780e7a8499e26
pfSense/RELENG_2_3_5               51992270b53084fdf0a2febf2fa3cf823b8357ed
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-18_02.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJa6h2vAAoJEBO5h/2SFPjang4QAJGXHypZB7foYhw87Korn+JF
vHlzM1a1LwjSvSKJ2yAGqbL7n8QG6lkv7ctVxDfXLx/iDoiFygAAS3vNydNGbCn/
3uvIfyWCaD1nD+BiXczZyB8rqCdUPO6Pvnv64oXTRH0Kd1YFYKReWPnid0cW8VAe
4eMmRDZLolYbjNxJhEogwLg5EdGFE8KnPkT18wzWZfkLKLOuN5m7m3GJ5WZo7kfD
PdGOtKA5MGKD7yIlmt1NQyhTjhsxtvrMGFp9cjtQHa0kE3Q78hZij8OzTIivJRPQ
OPFdoHHriSBy5RnCwyMKd7NZdenCfTmiu93EFSMsBiCXa8b7/35PPs1hBjEVPFyo
h7foeRblHFRRejrH5EVXDNU5288Lg79Wds+Jn210yTqMxzuDqaqowgkqkUuSb+e2
qdms7lQ/fWKN1+uiMHNB76AawwMChcHZ3YyBpybnq8lVJ6sufZpSSqWjxyMxQlIv
Xrcrt99laV57A2pqPanSg1ATBNS8vNNR5Y5Lyurz4d9PgaofA9YLXq6C6BPcDgJz
4Md+re7sKz8hSj8WXvZRBGdyeTaTsMYENjNGnz9nbqD+2VMeTACfHt9dJVYZl2PU
ABJVc7n0Ju5s4QvYIiK90H51yG0nX0ynRPDO2jUeq9ZF2+Ca02iIKoOU2hT+ZGPS
sbKD15C1A2Yg1lYleLM8
=3MyZ
-----END PGP SIGNATURE-----