-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-19_05.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2019-05-20 Credits: Bill Marquette Affects: pfSense software versions <= 2.4.4-p2 Corrected: 2019-05-09 19:17:35 UTC (pfSense/master, pfSense 2.5.0) 2019-05-09 19:17:35 UTC (pfSense/RELENG_2_4_4, pfSense 2.4.4-pX) 0. Revision History v1.0 2019-05-20 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in services_acb.php, a page in the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The page did not encode the download parameter in its output, and a reflected XSS was possible. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. To help mitigate the problem on older releases, use one or more of the following: * Do not give firewall administrators access to pages or functions which allow writing arbitrary files to the firewall. * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to version 2.4.4-p3 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users may also apply the relevant revisions below using the System Patches package to obtain the fix. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master ce77c104eee92cfbbc0d84980e60899295dadeac pfSense/RELENG_2_4_4 48ab49abab178fc03c8b4b437994280272172781 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAlzcKnEACgkQE7mH/ZIU +Noa4xAAkk8zQjalNispR8caJORB5ESYPLb0z+wYJ1UZU0KTUTuGynHk7em8/KRv phCApkR+MbsF9h/m5iEHhGXYSRbD7dA4LHbMacz/idDzzjArs82MG2CLTH3MSCgf NP3jMqDyhgxaNUJ3Y3XLE3FRLAGeoxlkna+Ki1MXZR15+51szR5serIUlMb8QF9Z g41i4FRYGTQreUfy/TCXiVAtnFJWQEPFS3BGY2+pprrhZXGAdLVhvL5fdMvZ6DqL rpzp4I0yBU9jRk60zXSj+zYvBXVVOHyfL5MnZrsX9sVtAz+NJYY0Y8PWsLHI8Ng4 rMXkOllg8tOABnH0lRR34NbJd1upbl1hN3WlSlJFwL7xykPmHcObZRB/+gYbeKq5 hGuR1Cem4xXJAntVwnBH+0e0uoXDh9vaQmpegQfpDJqxTiKW24Flo7VFUWlyx9aT VvsqBEpiovmM/x80t8ttl1ZlNuJD3dZe5QXfcB/YfTc45tiLRdX8vUq74nRdJ3f6 2jmtoP55h/daaBND3CpdoGHtZdIP+qd18cAobPOR1Z3KCQfHUdCvYgarOHO7NNRd hrIUoiPz/gSVgb8qAWJRuF4B8jA66PAmtxKPivvVtTdfVHDOCXhp/ysc5wE9dBOZ KVeLqHZ833vsrhoEYSgiPncgB2zL3bCGYFcO5M7JpUO1PaIsfh8= =yr1+ -----END PGP SIGNATURE-----