-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-18_03.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2018-01-29 Credits: Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc. Affects: pfSense software version 2.4.x <= 2.4.2-p1 Corrected: 2018-01-29 17:26:41 UTC (pfSense/master, pfSense 2.4.3) 2018-01-29 17:26:41 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x) 0. Revision History v1.0 2018-01-29 Initial SA draft v1.1 2018-05-02 Fixed year in correction timestamps I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in traffic_graphs.widget.php, a part of the pfSense software WebGUI, on version 2.4.2-p1 and earlier (2.4.x branch). On traffic_graphs.widget.php, the values of the widget settings were not validated nor encoded before being printed to the user, which could be used as a stored XSS vector. III. Impact Due to the lack of proper encoding on the affected variables susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users of pfSense 2.4.x can upgrade to version 2.4.3 or later. This upgrade may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master e7b5b82b121c76c4c6bf57229bfef0ea3bc33d5b pfSense/RELENG_2_4_2 f51de9fd9b762f50096e72481fad69e2440bca91 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJa6h2yAAoJEBO5h/2SFPjaWsMQAII44sZFYdsUIwuTKR9JXlct C/JEzWRXIlQQD6O4bEDTj+AIDSib2VksiCwyFsGVwKzncrUDCX5cGVjIOrzM5bI9 Fhsb6GdyBzZyeiS64EvlWqIfi/xEeSOFvLJTRFeicCj/DpYiDCaMsaW2rqJjtp/s WWAjnbmcY117jDGU38rmSXgOF8DrlSgFMEGPVkiB2yTT4SD4P7yP8Zc5L0m104rw KTbYT2pnKOhTKp90OLUCKfO32o/pxIB95x/KsSFAi4KbGZJ2RfAT75YCa+CjNAHF Xsc3tID63UpRD/mE8oUjAMNV1R52y+y8/bzg+nen/E4sO7RdTpMpCvCn4tO1O6SY F42F4a2AmV1KuNVuXRgQpB+ns6OArWhnN4cVLxp9D/1XXnehQOB+2ya/i6l/buAI 5l1h0BUYiVaXdtDHVLsgEA/1bAseDggPh6KQVtc8tDlIgbayVPjCx2OZ+OcQzn5q kzoIdpeQfHFw1VQCU2VEEeqHsiRA5RQ8zRHhCtW3PetaCe3od9WWX4f33XlHbWZ2 o6Qj+lEyoygsJC7+gYGYmkPLvvyVA70IPvg/W7keE6Jg8H/GBXBe623Oo/9fLW8j rg7n2ydGr0tvRWz50hdTXnls6R8ZsDw/frwWOOj+rKn7cU/aXvV9n6o0zErx4mXm NFJh794tmKI8oDZnCyWF =9wfi -----END PGP SIGNATURE-----