-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-15_08.webgui Security Advisory pfSense Topic: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI Category: pfSense Base System Module: webgui Announced: 2015-09-04 Credits: Nicholas Starke, Dhinesh Kumar via Hari Hara Subramani, Hari Hara Subramani Sivathmican Sivakumaran Internal Affects: pfSense <= 2.2.4 Corrected: 2015-09-08 19:47:55 UTC (pfsense/bootstrap, pfSense 2.3) 2015-09-08 19:11:40 UTC (pfsense/RELENG_2_2, pfSense 2.2.5) 0. Revision History v1.0 2015-09-04 Initial release I. Background The pfSense® system is a free network firewall distribution based on the FreeBSD operating system. The pfSense system includes third-party freesoftware packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Multiple Stored Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense WebGUI. The "Descriptive Name" field of Limiters, Layer 7 Containers, and ALTQ Traffic Shaper queues were not encoded properly in certain cases. As a result, stored XSS was possible when values entered in these fields were displayed to the user. The stored "Current Category" selection for RRD Graphs was not encoded before being displayed to the user. As a result, stored XSS was possible. The stored description values of OpenVPN instances (clients and servers) were not encoded before being displayed to the user. As a result, stored XSS was possible. The stored Description field on Aliases, along with their detailed item descriptions were not encoded before being displayed to the user. As a result, pages that included Alias detail tooltips such as Firewall Rule and NAT Rule lists had a potential for stored XSS. When attempting to delete an alias, the Description of a firewall rule was not encoded before being displayed to the user. As a result, stored XSS was possible. The text of GUI notifications was not being sanitized before being displayed to the user. As a result, stored XSS was possible via notification text, such as a rule description when an alias cannot be resolved. The descriptive name of an authentication server entry was not being sanitized before being displayed to the user. As a result, stored XSS was possible on several pages that utilized authentication server entries. The description of Load Balancer pools and virtual servers was not being sanitized before being displayed to the user. As a result, stored XSS was possible on several pages that displayed the description. The mode parameter of a Load Balancer Pool entry was not being validated before being stored or sanitized before being displayed to the user. As a result, stored XSS was possible on pages that displayed the mode. The relay_protocol parameter of a Load Balancer Virtual Server entry was not being validated before being stored or sanitized before being displayed to the user. As a result, stored XSS was possible on pages that displayed the relay_protocol text. List of affected pages for pfSense 2.2.x: In usr/local/www/ firewall_shaper_vinterface.php (Discovered by Nicholas Starke) firewall_shaper_layer7.php (Nicholas Starke) firewall_shaper.php (Internal) status_rrd_graph.php (Dhinesh Kumar) guiconfig.inc [Alias Tooltip] (Hari Hara Subramani, Internal) system_usermanager_settings.php (Sivathmican Sivakumaran) diag_authentication.php (Internal) vpn_ipsec_mobile.php (Internal) vpn_openvpn_server.php (Internal) List of affected pages on both pfSense 2.2.x and 2.3: In usr/local/www (2.2.x) or src/usr/local/www/ (2.3): status_openvpn.php (Dhinesh Kumar, Internal) firewall_aliases.php (Hari Hara Subramani) system_usermanager_settings_test.php (Internal) widgets/widgets/openvpn.widget.php (Dhinesh Kumar) load_balancer_pool.php (Dhinesh Kumar) load_balancer_pool_edit.php (Dhinesh Kumar) load_balancer_virtual_server.php (Dhinesh Kumar) load_balancer_virtual_server_edit.php (Dhinesh Kumar) status_lb_pool.php (Dhinesh Kumar) status_lb_vs.php (Dhinesh Kumar) widgets/widgets/load_balancer_status.widget.php (Dhinesh Kumar) In etc/inc/ (2.2.x) or src/etc/inc/ (2.3): etc/inc/functions.inc [GUI Notices] (Hari Hara Subramani) III. Impact Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround Upgrade to pfSense 2.2.5 or later which includes fixes for these issues. To mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. V. Solution Upgrade to pfSense 2.2.5. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/bootstrap 7bc8484b67d756b80b6c3bd5ffb2560c3add3326 7295f5d0ce173b756e81d08b0a56df1775cc0897 0104fdf672e3f3ab391abe31150044c4d9636ade 5b28ed7a817f1311790de25e448f1aa29b10c3fb 5d03e5a62abc8cce65e7558476dfe8ceaf86083a 67146d7e7c5fb58339ac24ac29cb9f3791ca0a10 0f032d7ec320609ac7c89cfb67ea2759b420af11 pfSense/RELENG_2_2 362ddda19060ca54c18b43c3b758b00dd253937d 5bf478ac2efecc20aa87483fe699faecee39225f d4ff79ed0e8c96507f16925bf27970a66cc3d328 206154295194d88942f419dd4c8d2c824963cf1c 1107259e9c8130f1d2e44a55ff5b8154bf03413a 1782b45d4b73cd3adb244ece78393b277fedd157 38f147d66798f324f92063e91c41c8d182fddb61 64c50ecd239a61b42e9179be486f3792c03cb0b8 5a33a6fb8a41a097204939fd696a0e7e6d5b877f 9fb19cab962fd97fa19054c1f5cf0246a08e2978 - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWMnPWAAoJEBO5h/2SFPjaTWUQANnm72f9R4CPaQGf0KZTgLaD 3ZZ1+lbOyJrkmhjEnvM2A26ow/6HWWDhtaJH+aSHzQm/tZXCpryagSMkT6erDtYk NSxnxU3pvZkLU8aIcuHr7XCWBo1xIb6uuhxw/mlCQD95NqC7UYvgoMjodtYb6906 Ag3q3vo51MuYqFAGjPpHJQNcAjsacYrnSk9mPAFf7GSvAXWPee1lzGG+GfB0DMrY as3OXQBk85OXguzDhDj7cHCTXkGTFiBgxz22zyNbZR5jIYCTu2hAIrl4twKkF9LT CpCLNyFCn28w3lgCd1UDY02usC9ESaAKhhJ883RdJaoZfhz+hQXKQGMCYpdqm7ya 88hS8mH9ES6ye2f54+UOtjbi/5Ih42whBWgMMe38C06c1NJlGpsdVwVcrVDB9p5L xW7BO+T7CFQ2xc/zDGezbajbY17lmljN2JhVMTWJUDUh14TJOr45BCXINPRg6EwD 4vfKxLekIGbGHBuyFBMIPxJSCDIfedQK1BsaMnE8Tw+v0YmCsDQAu+GnlAlJPenl L24JMjS85N5k5Iz4nRkhoMyUwMkFlv3SyP/fklon89OtqT4N4g02BlZfUH8y1YwT FFxI9LaiLw8FqbrRTHBWab52ycb39LiMRu2LtEPfn2hRGCGvNJ6ssArsryK5J5Im d2Zpba6OJMeDi1BLZLH0 =MJRv -----END PGP SIGNATURE-----