-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-18_04.webgui                                     Security Advisory
                                                                      pfSense

Topic:          LFI Vulnerability in the pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2018-05-01
Credits:        blablach
Affects:        pfSense software versions 2.4.x <= 2.4.3, 2.3.x <= 2.3.5
Corrected:      2018-04-27 16:52:06 UTC (pfSense/master, pfSense 2.4.4)
                2018-05-01 17:47:03 UTC (pfSense/RELENG_2_4_3, pfSense 2.4.3_x)
                2018-05-01 17:46:14 UTC (pfSense/RELENG_2_3, pfSense 2.3.6)
                2018-05-01 17:46:29 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x)

0.   Revision History

v1.0  2018-05-01 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Local File Include (LFI) vulnerability was discovered in pkg_mgr_install.php,
a part of the pfSense WebGUI, via the logfilename parameter.

The logfilename parameter on pkg_mgr_install.php in an AJAX request was used to
specify a file to read, ending in .txt. This file name was not sanitized or
restricted to a specific path.

III. Impact

An authenticated user sending a specially crafted POST request could read any
file on the filesystem with a name ending in '.txt'.

IV.  Workaround

No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users of pfSense 2.4.x can upgrade to version 2.4.3_1 or later. This upgrade may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

Users running pfSense 2.3.x can upgrade to version 2.3.5_2.

   See https://www.netgate.com/blog/pfsense-2-3-5-release-now-available.html for
   special instructions on using the 2.3.x legacy Security/Errata branch.

Users may also apply the relevant revisions below using the System Patches
package.

   See https://doc.pfsense.org/index.php/System_Patches

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
pfSense/master                     c29a1fe90f89c1ae392df2ef2092207e282ddc37
pfSense/RELENG_2_4_3               8d7458f6260e17b22073a21893fd3f698373ca52
pfSense/RELENG_2_3                 48f8b5ad884cad92ec71e5b6dc5fc6f8f62fc5f7
pfSense/RELENG_2_3_5               9d918214832b56d1c5fa767be61ed9ae9738e5c1
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-18_04.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJa63AWAAoJEBO5h/2SFPjacK0QAOPe7j/P79l0sFvAFVBCq4+R
294ZkfPYQW7PTvefx1WHLAywBTFm+scpyw3lpCWcS53pI9es2LycQn46PTLANzkj
VBCF+srWlYxoo9OoH/Sw/MXivBfy0XYFLjfr+R6TIwr68XQ1ubG8i6LBDwgD97Ih
CsoU+vIdlGxAWVG8wF0jI/uTzv6aI4aW321GK6AIW8tOIsQiixoeXuTanyLXpdl3
2Yq1ipyAEda20bvOevSj+Dac9Iy3aslFqLE9BzwT0No/CwA0d40pa8OJOOsxAqP7
1LQ7VUt88neAIpaI2v2hPPoL9HxpSyfi+E3y2fsuetqWdcdkOGGGioYs18Btrcur
m4++8AUULlQLhKvIlzKy3qxNbvGGxLGliBsDXIJkMnJfBZ9wrcXJBaZaGt7RPUrt
schMH39cE23GJIyg1HwtVoDdEzFB7kaHbbJteru0kBCy9ncG82HASu9H81m7mlye
LI/T92Dh+RSnhebCsVxtnC+eNYnZVLqhYBwDp01ns2MMADPmwunSGeKX+xfcPnWB
TO48HrP/KkMouvPV02J+cWCjuEKHoBQVPxVkwmvXjTMHz19CjwUIvgiS7+DfrA+y
ZsU7KsOLfaMrCwUGFQg/3r2bOhXida9iFc4nLOVvXfUDgS5nf8qtFTuyEcLqLEUP
v8H0/us6BX5bcIPmZHux
=GyFs
-----END PGP SIGNATURE-----