-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-14_09.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple XSS Vulnerabilities in the pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2014-06-23
Credits:        Dejan Lukan, Protean Security
Affects:        pfSense <= 2.1.3
Corrected:      2014-06-19 14:30:38 UTC (pfsense/master)
                2014-06-19 14:29:18 UTC (pfsense/RELENG_2_1, pfSense 2.1.4)
CVE Name:       CVE-2014-4687

0.   Revision History

v1.0  2014-06-23 Initial release.
v1.1  2014-07-03 Added CVE reference numbers

I.   Background

pfSense is a free network firewall distribution.  pfSense is based on the
FreeBSD operating system with a custom kernel and other changes. pfSense
includes third-party free software packages for additional functionality.
pfSense provides most of the functionality of common commercial firewalls,
and much more.

pfSense includes a web interface for the configuration of all included
components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux-
based firewall distributions, there is no need for any UNIX knowledge.  The
command line is never used, and there is no need to ever manually edit any
rule sets.

The majority of pfSense users have never installed or used a stock FreeBSD
system. Users familiar with commercial firewalls will quickly understand the
web interface. Users unfamiliar with commercial-grade firewalls may
encounter a short learning curve.

II.  Problem Description

Multiple Cross-Site Scripting (XSS) vulnerabilities were discovered in the 
pfSense WebGUI during a security audit.

* Persistent XSS in firewall_schedule.php [CVE-2014-4687]
* Persistent XSS in rss.widget.php [CVE-2014-4687]
* Reflected XSS in services_status.widget.php [CVE-2014-4687]
* XSS in Referer HTTP Header in log.widget.php [CVE-2014-4687]
* Potential XSS via JavaScript injection in exec.php [CVE-2014-4687]

III. Impact

Due to the lack of proper encoding on the affected variables and pages,
arbitrary JavaScript can be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

Characters sent via POST in the starttime0 variable on firewall_schedule.php
are not properly encoded and the value is saved in the firewall
configuration.

The "rssfeed" parameter passed via POST to the rss.widget.php script is not
properly validated or sanitized and its value is stored in the firewall
configuration.

The "servicestatusfilter" parameter sent to services_status.widget.php in a
POST action is not properly validated or sanitized. The user is redirected
via "Location:" header when the page loads so the JavaScript is unlikely to
be executed by the client's browser.

The HTTP Referer parameter passed to log.widget.php is not properly
sanitized before use.

The "txtRecallBuffer" sent via POST when uploading a file via exec.php is
not fully sanitized when being displayed to the user. The way the resulting
code is included and formatted, exploitation does not appear to be possible.

IV.  Workaround

No workaround is available. Upgrade to pfSense 2.1.4 or later which includes
fixes for these issues.

The risk of such attacks being triggered remotely may be lowered by not
using the same browser session for firewall management and general web
browsing.

V.   Solution

Upgrade to pfSense 2.1.4 upon its release. This may be performed in the
web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     65f815dd9fec2c7c290c7ff82f86ca8ab77f8035
                                   e4921058c6c5e2cb99b997fcf2594e9a7e10a11e
                                   2b641a08ab6e781b4795b0b3e3d9c1268aa91964
                                   aba02f656010bc190b5db0e0c659f8f79402b6a9
                                   bef1056048aa2e0839fd5839e83da154f06c8c2c
pfSense/RELENG_2_1                 54a9da9fceff7e5d2524bd30d31c2756dd46f357
                                   860b102acbdb8f7ea702c2f63c5216904428cf1d
                                   ce9d5d7255919b47abf28314dbe6eaa2769a92e4
                                   d1dda498173f09ca0deb5331d6be77abbe8d6e61
                                   8aca755afeb815f99ab4ca5ddda769124f965d4a
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-14_09.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTtWtvAAoJEBO5h/2SFPjavLEP/AiMOr+/FzG7VqCKu4KnVVqB
xX2zfhF7NcZdInMsWyLB/m9V2bF4H747erliaYxCXi2o5mJWqRLD9Wi4iFJ7iYxC
wX5ub6G0I8UvTlO4PztEDJlFdDMrakF6vfFlaHoBHtd63S77el2NFGRYCe32GNCX
xghvctAMnP1RDG1G8hptUQUNyMTiBUkknU4ZQUln9o/P4wl5LDXgYOSMdPokYasj
SDfEm20YIFt2dSJM7x8sCXRlmhIyn1emB8znv0FSYpNGdxRru/m7thdpJLR1plA7
1hK0vw8QkUFOcRsZaZQLgK84EKRjKezu8Lg86uoas5gCWajC5oAuZE6WGhNm0O5F
WP4Put3WzdXMxltpZuXq4kD55LxRiSrBPmYsfhk1+F2yKzpAWnkqFZcscjvPnIVA
pnNPyD/Fed0/OeV/QCiVTD6JoubqrapEUNEY4g851cF74iavnVWtOC70UAAryg6c
E1zelYNzzoCCKA8E84CRSQjWwV57h1r5lPoUlLd7W/vl0tc0uWWeP7YGjQGo1+NB
87qoF27uG/Gf8g2On+bINg4Q4dS1D6dIDVoME3R+EiM3MIq1lAEo8+qUrr+6jvVf
HJm2A3Mh7YN6El8R0BiHygqkxlOzqse5ZXQSlWzKxurEBiAbWYru5x5sc97GZaCw
FVF79f0kumFinM7RVOdv
=/ESW
-----END PGP SIGNATURE-----