-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-20_06.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2020-03-10 Credits: Matthew Aberegg Affects: pfSense software versions <= 2.4.4-p3 Corrected: 2020-03-09 12:55:51 UTC (pfSense/master, pfSense 2.5.0) 2020-03-09 12:55:57 UTC (pfSense/RELENG_2_4_5, pfSense 2.4.5) 0. Revision History v1.0 2020-03-10 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in system_usermanager_addprivs.php, a component of the pfSense software WebGUI, on version 2.4.4-p3 and earlier. The page did not encode the descr parameter (full name) of a user in its output, leading to a possible XSS. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to version 2.4.5 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users may also apply the relevant revisions below using the System Patches package on pfSense 2.4.4-p3. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 3c1e53dabe966f27c9097a5a923e77f49ae5fffa pfSense/RELENG_2_4_5 63b2d08b84b5c1707db809209d7a30569ec2e1e1 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAl5n9m8ACgkQE7mH/ZIU +NrR8A//YQBkk4368Oj2pBcSmQJMuYtaQTtMm8NB7+YPMNKFperk9GrT3l9yn+EJ EBvPGXCTRx5FBRkcsgwOhmsTI3aPollq4MUQHRNb6sfHBW4Xc5x3dMUbtvq5KYdp 5SfZBXT/ws5SgzyZykDmmaYsmrK1Q6Cl8dHPEbYLBOH8g9Eqau5dLuoeLorVsdny Nn7EFKVyxFZI+KKzrHVRPPPUoWdBf6VV1+W2WausXy44EKF86TSvgbPGPM1eOy75 8Kizv5QG3nKSUQbFZTDIfTC6I17eIUGZFpavV44vTmzZfjNODYl4JFTGW8rwrg0B kVbQN24kTfO2wyj1IYMHZkcs4YovtwwYZJUhNQ2SpgpRB95g9qJpET2zfNkGGlDr /xogoW4BPOKuR74AigE5ZpblQqcrtnNTkL0mY89yhdHYd/YRcuJ6Mkacswuem+XH BYpTAax3lMJpw8LONY5kt2+iZjDeJ5K4EqKdDNhExg9RoRmT/m77/UT/pdnFyeZV nXYhVqj3naPrjV0y0T0+HiQ5RbFRTVuXb+/jtpy7K7ltYxogvFdJnQr/UtoYLmdr LsuN8pFIlRnp4QvJmboCIefJodlGZsoxrB5BWo1kBhbP3GW2HEceiCPOoWzDO+pq nPCYylLyfor1BfMxaIbbpQR9sjk76+ROVPGUcFRrxo6DAiSzNcM= =6/hy -----END PGP SIGNATURE-----