-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23_01.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-02-15 Credits: Oscar Arnflo Feras Al-Kassar Affects: pfSense Plus software versions <= 22.05.1 pfSense CE software versions <= 2.6.0 Corrected: 2022-09-29 17:15:02 UTC (pfSense Plus master, 23.01) 2023-01-12 16:04:58 UTC (pfSense Plus 22.05) 2023-01-13 15:24:03 UTC (pfSense Plus 22.05.1) 2022-09-29 17:15:02 UTC (pfSense CE master, 2.7.0) 2023-01-12 16:05:09 UTC (pfSense CE 2.6.0) 0. Revision History v1.1 2023-06-19 Updated with CE 2.7.0 release information v1.0 2023-02-15 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential Cross-Site Scripting (XSS) vulnerability was found in diag_edit.php, a component of the pfSense Plus and pfSense CE software GUI. The page did not sanitize the contents of filenames read from disk in the "file" and "fqpn" variables, nor did it encode the output when it included those values. This problem is present on pfSense Plus version 22.05.1, pfSense CE version 2.6.0, and earlier versions of both. N.B.: pfSense Plus version 22.05.1 included a partial fix which covered the "file" parameter. III. Impact An authenticated user having sufficient access to create files with arbitrary names on the firewall filesystem can break rendering of the page. Exploit potential is minimized both by the fact that users with access to create files typically already have root-level access and by the fact that "/" is not valid in filenames, so tags cannot be closed. Even so, there is a theoretical potential for XSS here, even if a viable exploit has not yet been discovered. If this were exploitable, then due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Do not allow users access to pages or mechanisms which grant them the ability to create files with arbitrary names. * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.01 or later, or pfSense CE software version 2.7.0 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 22.05, pfSense Plus version 22.05.1, and pfSense CE version 2.6.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 1b5919c769ba736b44819f71ee1ddce06e2a50c5 73ca6743954ac9f35ca293e3f2af63eac20cf32e plus/plus-RELENG_22_05 e0e30a9b01b1cd3b10016e1cd25e8ed8efbd3e1b ca7ba7534cd2d15be1df0eecf7cbc122a018b637 plus/plus-RELENG_22_05_01 b02242b77cf70698ed4f79216a210200cc37fd08 pfSense/master 1b5919c769ba736b44819f71ee1ddce06e2a50c5 73ca6743954ac9f35ca293e3f2af63eac20cf32e pfSense/RELENG_2_6_0 611de84ae2d1e65217dbccb7e9db32a019bd8d97 e9c53ad9b35ff152d2b76b8fcbb0a94adc809124 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmSQerAACgkQE7mH/ZIU +NrCvhAAhdmoElOeHn8L20VPHfAyebiEwidykJLro3Es9dyJzY3fABHCz7kPrX5Z nxTE4fLart5oXCa5ChxKSpU9V6fPG5IRZDs4Emwsgcip1PSl+Voob1/RCRZ3VAqH zcROBqQ+3enPbA65QKqXc8uh7KpgAM4DxzYGm7x1E3vPFeUuVh4SVKqOTePGa8Am x6V8FJO0N/jXDbheh2HApYoRWyeqiwq1NQzfgLVXV9/g+NAnJWknQYTm6c9BUHkJ 1bRT2jklU5mn3A6pTcz0FFnob9lRsaW/X3nbALTovGiSBm+apljhsEXn0Q27f/pN 1us5smTtonamziKAeSp2WoWhoiy+3SGpr49RX87Vj0zgNmRMx3POdIMTBI/DoLCM 8JsGgzPJj5BxGrD/RYd3MNFH3be9NZFIEINv6pTIzJ6FWPagwI4mgG3aKXhn/YYf PLE8/LYzO4qczliUOSPQEiLauZsreT0E6JQharsJHAFNsEIn8OBNG5ZTMLagIzyQ WQH3k0plsMMTJgAepjrdRjYiljarqEpysx8NWL9ks4zZClzHPicdnfKZ1WePkxt8 Js7jQIdCE+Ae6T/s3ywRDAuJF7yAWAwPsBQjW3P0HCapgJQHAFHKYYmhh8YPyM2T MzwlLFAjZ73Uf+fa9dN8P6thDWuwX8hALEaMgADfVDusqHjU4a8= =E5+t -----END PGP SIGNATURE-----