-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-18_07.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2018-08-09 Credits: Silton Santos Affects: pfSense software versions 2.4.x <= 2.4.3-p1, 2.3.x <= 2.3.5-p2 Corrected: 2018-07-31 20:30:39 UTC (pfSense/master, pfSense 2.4.4) 2018-07-31 20:39:31 UTC (pfSense/RELENG_2_4_3, pfSense 2.4.3_x) 2018-07-31 20:49:51 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x) 0. Revision History v1.0 2018-08-09 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in the "dashboardcolumns" user-customizable Dashboard settings, a part of the pfSense software WebGUI, on version 2.4.3-p1 and earlier. On the Dashboard (index.php) the contents of the dashboardcolumns user setting was not validated on POST and was not encoded before being printed to the user, which could be used as an XSS vector. III. Impact Due to the lack of proper encoding on the affected variable susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users of pfSense 2.4.x can upgrade to version 2.4.4 or later. This upgrade may be performed in the web interface or from the console. See https://www.netgate.com/docs/pfsense/install/upgrade-guide.html Users, including those running 2.3.5-p2, may apply the relevant revisions below using the System Patches package to obtain the fix. See https://www.netgate.com/docs/pfsense/development/system-patches.html VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 9ceace2562e718b9b460633847c12050fff96640 pfSense/RELENG_2_4_3 db7f2719b747da77805972f797c23654518d438e pfSense/RELENG_2_3_5 dd2d9f24b5212a6d13c94f4e98031fa635e7fda7 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAluFX8sACgkQE7mH/ZIU +NoNTxAAu2GiI/nuEIg03UJuKzbSTuEyBqscA/KECYVO053/YuI/0u8BB1NBlJOB 8P9ydjWab4JX71ZS80hdXbuAmV1O7F3OQKqFIjMPi3uQIxSbUf5MqfZd9edqndNZ e4kxQWN8f+OJIGziMWv2KWbubEsbrGxRn3qW9sCkY7skccO4z7PQCqVqHAq2wcYr FVu1IA6vOJQhTQx8Chaz0Rhv4oGWfBcqaqGtPTSG5zYQMoAS1Vl3s8cpG2q3OAfi k62gzGlWRX0ZfD+ccSSEkVAEkZf4dH0ix8LD349RTG4eq5Y39V4C48dmbRnP48c6 z7Cb3nQlLkFlyfILYHzcYAqMgiZijE8l22J7NaF5qeKrvbwiXlacvEMCP5PqPrEh s9ZrLy6lMFALagxuZhTfBYHAaQ+Sa7Uct1R4qzXsef9ClQPA3cMHYuGUeouM8e0G 33VF2ue0oOwMqCvZEiWfhwfmWjN+Q2dxfkDg184h5jjyi7vkWqnWcifS+aKOgZ6k ME5M25w9qKLnVUg7+3Hh5Cq+/eHynY08YWwymovovnfZvCPsKWRn3uObVy5+mRfd Yp7Y+RFgbnW2D/Wv8HQa8WtIHa2rJkNO1MtHllYou+YPnH4BlsrVpCzXz/qEZL7E HpbcSJGcMXEg9affwu4ur1O2EIkMi0T6F60TZci3Cz80wQJT8hw= =ds3b -----END PGP SIGNATURE-----