-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-16_03.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Stored XSS in the pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2016-05-09
Credits:        Jamie Hankins, Internal
Affects:        pfSense <= 2.3_1
Corrected:      2016-05-16 11:23:23 UTC (pfSense/master, pfSense 2.4.x)
                2016-05-16 11:23:23 UTC (pfSense/RELENG_2_3, pfSense 2.3.1)
                2016-05-06 13:29:58 UTC (pfSense/RELENG_2_3_0, pfSense 2.3)
                2016-05-06 13:40:24 UTC (pfSense/RELENG_2_2, pfSense 2.2.x)

0.   Revision History

v1.0  2016-05-09 Initial release
v2.0  2016-05-16 Added Notices XSS

I.   Background

The pfSense® system is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense system includes third-party free software
packages for additional functionality, and provides most of the functionality
of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in pkg.php, part of the
pfSense WebGUI, on pfSense 2.3 and earlier versions. pkg.php is used to display
and manage lists of items used by packages. Items in these lists were displayed
without encoding, which could result in a stored XSS if the package did not
validate or sanitize the data when values were stored.

A Cross-Site Scripting (XSS) vulnerability was found in Notice handling, part of
the pfSense WebGUI, affecting pfSense 2.3 only. The firewall displays notices
formed by various areas of the system to notify the user of problems or
significant events. The text of the notices was not encoded before display,
leading to a potential persistent XSS.

III. Impact

Due to the lack of proper encoding on the affected variables and pages,
arbitrary JavaScript can be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

In the case of the potential Notices XSS vector, the notice text is not directly
controllable by the user, but in certain cases it was filled with an HTML
response from a remote server controlled by the pfSense project.

IV.  Workaround

Upgrade to pfSense 2.3.1 or later which includes fixes for these issues.

To mitigate the problem on older releases, use one or more of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.
* Apply the relevant commit(s) in section VI using the System Patches package,
  depending on the pfSense version in use.

V.   Solution

Upgrade to pfSense 2.3.1. This may be performed in the web interface or from the
console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

Notices are now sanitized when stored, so if notices are forwarded to third
party systems, the potential for XSS exposure in those systems from affected
messages has also been addressed.

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     d6ab749630ab5fa4a1d3fe6e58ce47452217cdbc
                                   e392cc2bdbdc1da6cf5d100607c9410b7e55b9b8
                                   e4710ed5d5c42430b7563904233fadac2463744e
pfSense/RELENG_2_3                 45c50e6fa4d5b92859cfaf979b76cf156c07d8d4
                                   78012791480c8fa7bc4fbbf0d2b7cbbe4de8975a
                                   0f1304eed0658a974ab3bce6371dec70458363ea
pfSense/RELENG_2_3_0               828ec6af040acde23d2df98b572df708aa938532
pfSense/RELENG_2_2                 e079998e9d063d826d341b2b3dd8a53458a67757
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/System_Patches>
<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-16_03.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXOdEsAAoJEBO5h/2SFPja36QP/Aobc8caGqCIHUKL+tUqHFhW
eVGrbp1vukzNlhBpR0X0Qw0Erd2f10WFr6/eFs33jA/tRl2EAWdAyXzVlDDR2X+W
aBrf0TUGWA1SFUt+vOsoAkCY4j3sGUDPuRDoa66hhUPtYLfbdRxCMzYHypTGZCB3
YkdwvKVyZ/Wgswynjh5rT6r280rv7ukPzQVEb4Ymm8LtYT9yA4lIrczZnxUwNvd6
sPZjHJgi6N00FPPHwOZ4JTPANx7G3iapJm0VEy5aTtEoKo5OOZNu2yXywXfzR8dO
B1aNEQg7FbPUBtUuinARxcTvmzTA3jHilZv5e3bO8g77O+k3fyxpncU6+skAs5Fy
6elfZJd5tn0O5IAvR92/RYRJxvfq162DwF+2a4xPgrQtbkuejWGoKqH1rpdpDt75
2XNGOiJDnGMSuQvFKZFraJXlyT1KSMYpU9x4+g11P4jdgVgmhSqK5On5YZBlVvuR
SkyJFIyvXmK9K7y3WjCML2wLSp7zf9bhawkBOd6n3CRqPnl4yuv3XnBhyFweDM+j
Oi5+0xhP1olF+6fxV14fesx6Z7RNJPTgL9Ghmra2mFjCYdIRWvnA8Cf5dGCalxRv
1+r9ufe4u1OIpA6svDi3NuMUfWazfdMaYqFZq81SEsJoP5SMc1ZCzNN7Eh7DDxIf
hriNAgc5EM5UdhWqfgyb
=G4Wp
-----END PGP SIGNATURE-----