-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-18_06.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2018-08-09 Credits: rgutga Affects: pfSense software versions 2.4.x <= 2.4.3-p1, 2.3.x <= 2.3.5-p2 Corrected: 2018-07-16 22:35:39 UTC (pfSense/master, pfSense 2.4.4) 2018-08-09 18:17:20 UTC (pfSense/RELENG_2_4_3, pfSense 2.4.3_x) 2018-08-09 18:17:32 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x) 0. Revision History v1.0 2018-08-09 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in the firewall and NAT rule separator feature, a part of the pfSense software WebGUI, on version 2.4.3-p1 and earlier. On firewall_rules.php and firewall_nat.php, the value of the $separator['text'] variable was not encoded before being printed to the user, which could be used as an XSS vector. III. Impact Due to the lack of proper encoding on the affected variable susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users of pfSense 2.4.x can upgrade to version 2.4.4 or later. This upgrade may be performed in the web interface or from the console. See https://www.netgate.com/docs/pfsense/install/upgrade-guide.html Users, including those running 2.3.5-p2, may apply the relevant revisions below using the System Patches package to obtain the fix. See https://www.netgate.com/docs/pfsense/development/system-patches.html VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master ef3d2cadcd24bccc527c2706aaccd809fdb481e9 pfSense/RELENG_2_4_3 e6138f400051d9cf6bd23cb6d58773eed09f98f1 pfSense/RELENG_2_3_5 bd4795201f79da1eaf035f6450d4df04be223e4d - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAluFX8YACgkQE7mH/ZIU +NqhyxAA4/Twh7vcL0gnP+t65ce6VsfDZkO5mqoT9oH/jsqGsa7eoC6J+qulzcQW ZdPbe9MM/Kn1+INZElKBuosypLQRxqiNOeMaEG2wy7YufvCHSIhWEOPAZyWU3yyu XjyOIiKkYwASS8z0iQUbUlAhIb3MC94Xt6icuokZ5oBn59L6HptV1c+Vfi8bxHPb S14VgnV+uXVf6D/VPEegdrZeoFPRf5mU2e90kf7JywsDK8ehCVDd1dwSLdxESRK4 gR2uX4+101CAyz5NRq422F3bhyLtCQ214e2j45dYerc8yqhZctIUYgk73FtkNN5h 0JO1s9rxRM8hgXS+ysqVWUBKUZXuyncMU22sfr4wMGF90sTcW4odmTP4UOjayZAC A6gInW+H1kvlKUGKhsikPJn+oHYkVs0lGM7TfC3rI703ryaRQt6xX5oenDa0VdH6 FF9SYma23Bfh60/GUGg8pVJqiAf8VKf/5XZSgr+WXUtRyugcPFC5MjcHe01zHoj/ Cv4dkm0fiv4a5K7hhFlZG2XJWOOPtDsqiLf4+gGLWilOAxDJ7byacmOu47N42BfJ AUDs0LM6mDa3mSuHDLLQx9t8hTi4sU0rY9CewKIY1CT9nrxG5ABe6YML+VoplRyn yuyZs+8ge1nm0H1uKe+FOwJLCbkH8cmswpufLjIkDTmwHEEsYMw= =kiwG -----END PGP SIGNATURE-----