-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-19_01.webgui Security Advisory pfSense Topic: Multiple XSS vulnerabilities in the WebGUI Category: pfSense Base System Module: webgui Announced: 2019-01-29 Credits: Ozer Goker Affects: pfSense software versions <= 2.4.4-p2 Corrected: 2019-01-29 19:15:09 UTC (pfSense/master, pfSense 2.5.0) 2019-01-29 19:15:09 UTC (pfSense/RELENG_2_4_4, pfSense 2.4.4-pX) 0. Revision History v1.1 2019-05-14 Updated version information, updated reference URLs v1.0 2019-01-29 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Cross-Site Scripting (XSS) vulnerabilities were found in several pages of the pfSense software WebGUI on version 2.4.4-p2 and earlier. * On system_advanced_admin.php, a reflected XSS was possible via the "webguiproto" parameter. * On interfaces_assign.php, a reflected XSS was possible via interface parameters such as "wan". * On firewall_rules.php, stored XSS was possible due to a lack of encoding in firewall_check_for_advanced_options(), and a lack of validation on firewall_rules_edit.php, in the "dscp", "tag", "tagged", "statetype", "vlanprio", "vlanprioset", "dnpipe", and "defaultqueue" parameters. * On firewall_shaper.php, a reflected XSS was possible via the "name" parameter. * On services_igmpproxy.php, a stored XSS was possible due to a lack of encoding of the "address" parameter and a lack of validation on the same parameter in services_igmpproxy_edit.php * On services_ntpd_gps.php, a stored XSS was possible via the "gpstype" parameter. * On diag_traceroute.php, a reflected XSS was possible via the "host" parameter. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. To help mitigate the problem on older releases, use one or more of the following: * Do not give firewall administrators access to pages or functions which allow writing arbitrary files to the firewall. * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to version 2.4.4-p3 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users may also apply the relevant revisions below using the System Patches package to obtain the fix. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 62baf0777924b2c21c832db3c0040988e7451c61 1072b9333c47df593420937361349b09a9b73639 261916e5d3f833a58d5cef1afdadc7495ec2c74b 938988609c306fcd44e25a053745c4b8332eeeb5 57ccd08bf7ee05b9a00750a1fd9cf8f148e0c9ac 5cc7d21dc08be6c65a2bf7f8f4481dc13f4ae115 56888f24ca2715e678a1324633a08d3a611b4136 pfSense/RELENG_2_4_4 5c4fef46ab9fd6be569a2c18185062bb34d0eb37 9712ce4ef2b5228aed2af3c84d9d8a5df480fbc1 7e9de4b150930ba66e6385def17e42ba2c0565b3 ca0234c39abc2375bf9be5d2e236dea40a716182 f39d333279002ceefbb511b3f40c921356faad37 587c2d557612ccfa856b2ca47799429cab0fce88 10b06be56c6860f5ac7b890d58c0c3cca8639c63 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAlzcKmMACgkQE7mH/ZIU +Np4SQ//V79gPhOSHCBbpM0rUNb2AqFTeB6CsfUP8U9ex2fdXRbNCojXnQ3+tk3b urprC/5j9DiIO9m+PJo4i07dZC2yS/KGE/L3Ws2CdQQm4p5GIypQRsnr+10CqISh flGOfjJI5tnEw/EM9aArwdH6tefpvNIHQFS6+k0IDPlvgAnrq/wCEpPXpxH6xs8e jfn/von9l7fsM4uquqSVEt+Z9FBqtEUsK4rWGwYKPuldDcfGi8aIcRjuOTIUzwMs KS6CtGAahlvlNPhpE5nwBXcLyAF78XoSYGWnyIjuVPn0F/i2izC+3GWDAbFkc8yW 2Ufx/ETQ2pOSU9Z4ZPu/75b9gKPpeWvdwguUoj9GM4GCi94/kdJJvW+0xxXi6kkm 5CW/pa4Zj0GL5KucH0mdHtqlpAmTJg3gjy7JO6wrzZdB7Q04XB4CeNhUiZk964TQ jcx8A4DTX9Bs166HKqPxcPgRPjcB1E/YEYpF6II3+knBA7gS9tr5krmsM9EgOTI+ k2Y9oWGvVIT5zymQs6uw5Qx/c3IFAEQPUDE2+x6+w9kYadBj7vQyaddgTZ/KABeO RPLeDGhUUVrDZtl30rM0lXme++Xzn73Z8H/j8T9oFr5X6YiFswQUl05CiFZZwqoY LoxB9HK/9Tez1+J63uyxWfWJWfmFtrTFFKxVzFKBc0O6nHc0Oi8= =tmhH -----END PGP SIGNATURE-----