-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-17_04.webgui Security Advisory pfSense Topic: DHCP Lease XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2016-04-26 Credits: Stefan Wieczorek (DCSO Deutsche Cyber-Sicherheitsorganisation GmbH) Affects: pfSense software version <= 2.3.3-p1 Corrected: 2017-04-26 17:12:04 UTC (pfSense/master, pfSense 2.4) 2017-04-26 17:28:09 UTC (pfSense/RELENG_2_3, pfSense 2.3.4) 2017-04-26 17:27:58 UTC (pfSense/RELENG_2_3_3, pfSense 2.3.3_x) 0. Revision History v1.0 2016-04-26 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in the DHCP lease display in the pfSense software WebGUI on version 2.3.3-p1 and earlier. If a malicious client submits a hostname containing HTML, it is displayed to the user viewing the DHCP leases without encoding. III. Impact Due to the lack of proper encoding on the affected variable succeptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. V. Solution Upgrade to pfSense software version 2.3.4 or a later version. This upgrade may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 49a6769d99b4ea0306b0d619d14c3c0c841386e9 pfSense/RELENG_2_3 9e721fea09dc252cd264bc2b67ef40a1d2d81e11 pfSense/RELENG_2_3_3 a260eda55905607e9adfd5d7c3fd779b115459d5 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZCgb7AAoJEBO5h/2SFPjaVmQP/RxMkpNZt5nAuiGP5NudMDVg PWcNKAmWenGA5mW9p85AHE/EKKoBJa2UkKZj6oAG5DYP+JR4BF2BEHyGlsTtMxp8 ugosARW+97mTib1cWF5bcTwL8GAYBoltoZJJWTqmzj2cqxX4gILYJvPMDPNqhb8T KFc5HrRfq1R1FKYVG8GzWqrrxr8QL7RQPkKOGHvaqcGCr8jUMAC6iD5RvmpQwC+T 3Ulzxz2MrECBlvNPTy4/mgXmWNzrm78s80YmOJo5BIY7hZcKdFtY/RMxrJ5422oD RIwTjWGdbk/BDv+kqy9bXScwkd6r+1fdc8ALQf+KCHxQhlwu37ISVovVHaX0s3P0 xfG+XzJi0HPtmO2Qj1IEk5N+qUFBe412/0ygmXLvve2JAdP6aUwxtyKBZbNqGJDa nsdJgxqgRkvQ73o2vjNiBRlIX4xjQ8+LziZSJk9T9yWvqxljHwOdd8ou0FwRsaVJ f98oyeNdKgvx/lKT2jrI3WkYZCaBL8MU1oqUDHA8S+XhiNLKnFtdBRMfxpUKrWqr P4W2OlFmDYn3WQSggjxT7AFTy7GmbH48LXwKDnNHZcFiQCGsy8RAyCHRYcZcz8oF YUgJlw0h76tBjWAsfsgDVBZmdN4hwPEtGxzr9nOuCOuvNfR0tteVPAmRMo94ChWN RNFmUOmzrtP3AGCYSjux =foHb -----END PGP SIGNATURE-----