-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-18_05.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2018-05-01
Credits:        blablach
Affects:        pfSense software versions 2.4.x <= 2.4.3, 2.3.x <= 2.3.5
Corrected:      2018-04-27 16:58:35 UTC (pfSense/master, pfSense 2.4.4)
                2018-05-01 17:47:06 UTC (pfSense/RELENG_2_4_3, pfSense 2.4.3_x)
                2018-05-01 17:46:16 UTC (pfSense/RELENG_2_3, pfSense 2.3.6)
                2018-05-01 17:46:31 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x)

0.   Revision History

v1.0  2018-05-01 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in pkg_mgr_install.php, a
part of the pfSense software WebGUI, on version 2.4.3 and earlier.

On pkg_mgr_install.php, the value of the output parameter was not validated nor
encoded before being printed to the user, which could be used as an XSS vector.

III. Impact

Due to the lack of proper encoding on the affected variable susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

Due to the fact that this can only be exploited via custom POST data submitted
by an authenticated user with a valid CSRF token, the impact is lower than most
similar issues.

IV.  Workaround

No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users of pfSense 2.4.x can upgrade to version 2.4.3_1 or later. This upgrade may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

Users running pfSense 2.3.x can upgrade to version 2.3.5_2.

   See https://www.netgate.com/blog/pfsense-2-3-5-release-now-available.html for
   special instructions on using the 2.3.x legacy Security/Errata branch.

Users may also apply the relevant revisions below using the System Patches
package.

   See https://doc.pfsense.org/index.php/System_Patches

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
pfSense/master                     687e50fd439179ba61a518c7b68c91b168e56e50
pfSense/RELENG_2_4_3               72f363ed3bd878e665cc7a4612e49aad2753deb0
pfSense/RELENG_2_3                 b662c5e4a64627b614e937a574e7995200388ff9
pfSense/RELENG_2_3_5               5c856a1d49a4d2f22993de69eba16536d165296a
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-18_05.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJa63AdAAoJEBO5h/2SFPjalogQANprfYtKAUNSjjpSWySR4lO2
1tYgFxn+Y67FSvLw6b6sCSRSowZKXxI5rG+CLqKGwCW0Uevns+UcVhgQ2G8TYPZz
BAp++9SOgVA7KJJTdd1BLW31Ve4ibLfwej2TDjNPQI9jUOfZYpjiE//uipVbO1RS
EkOQUWr2zKUCai7DkyvQWrTezQaUaJ64NHESv/OowEsCq3jEggwwJY0z+gP3U0Ht
9+pBx2d62L0957uKCE7yY/47s2HM04T+1PWbkgm1JaMkgtAYQS6GX2oqlqwLhpsg
eBNeCrmdBPuprPKvKnRpcjCAVS2wcA1aYXoU3O+QRyetPfMKtV9m5TyJCnqk9d+2
ORv2xwj8+2UvUkfzxEuNq5iT6gY8Ty+1Q7caouX4hi8lC/ft6dT8veqV9BbvAgkC
rcY4/GkhlR1l9LyutJyxHiiM9DyWgiDRNGlRqsguzrYm6YZR430XZk13tKyTHj4u
gWVm4pG1He8CXyikmO9Va72Ddvz5+ePT8SjNXZj/P1zOlQ/+WeANsyLGU+Tgm3cb
zcJ6Ua95EGwpd3rluR3WEmHFFcGKQg5Oi3AmOJZBEQqFa4GFFOWlrr+55mQX89VD
q7fGwnyP5dHqq3JjgSuSIm626q8qsT9VTlplHQHQm2AP+syfxrksDU0XvtTDn0Qv
fLKiweBlOt1GNPFFQ8O5
=n+sn
-----END PGP SIGNATURE-----