-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-24_03.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple XSS vulnerabilities in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2024-04-22
Credits:        Li Jiantao of STAR Labs SG Pte. Ltd.
Affects:        pfSense Plus software versions <= 23.09.1
                pfSense CE software versions <= 2.7.2
Corrected:      2024-03-06 17:07:02 UTC (pfSense Plus master, 24.03)
                2024-03-06 17:04:57 UTC (pfSense CE master, 2.8.0)

0.   Revision History

v1.0  2024-04-22 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

Multiple potential Cross-Site Scripting (XSS) vulnerabilities were found in
PHP error display formatting.

PHP error messages are plain text, not HTML, but the GUI formats them as HTML
when displaying errors in-line on all pages. The PHP Error log display function
on crash_reporter.php also also displays the PHP Error log file content without
encoding.

Additionally, PHP prints function arguments in the stack trace which may contain
user input.

This problem is present on pfSense Plus version 23.09.1, pfSense CE version
2.7.2, and earlier versions of both.

III. Impact

Combined, these issues have a potential to lead to an XSS if the user can login,
trigger a PHP error, and influence the arguments displayed in the stack trace.

Due to the lack of proper encoding on the affected output susceptible to XSS,
arbitrary JavaScript could be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

Only the first 15 characters of user input are printed in the function
arguments, severely limiting the potential exposure.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users can upgrade to pfSense Plus software version 24.03 or later, or pfSense CE
software versions after 2.7.2 when available. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 23.09.1 and pfSense CE version 2.7.2 may apply the
fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each affected
item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   9d78a172ec6c9b959ac1f5b321637e5009320658
                                   e7d7547c11291f04213eaf38eea12b11f434630f
                                   bde72e2d864ba57f2f14e0a4005104d942cdb11d
pfSense/master                     9d78a172ec6c9b959ac1f5b321637e5009320658
                                   e7d7547c11291f04213eaf38eea12b11f434630f
                                   bde72e2d864ba57f2f14e0a4005104d942cdb11d
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/15263>
<URL:https://redmine.pfsense.org/issues/15264>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-24_03.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmYivFIACgkQE7mH/ZIU
+Np2XA/+OYbQRR14bTeM0YYkv60upGr5s7dd938mKJP6ZVGPhTrLwXLcUF4iTZMY
IxSv9oP/22UN6/sfPDWJuCmOMNyc3Lbl5+pQSI0l2YfmxC3RqVWC8gl/w14x3yua
tBlx3yxm0YfQvIqG7fZwXSQGkTeNfwoyOw/NETRNXylfIgRvC4PCC5Q+wqzniWqX
n9HyVX9wNS7k8BJV8EXLnxshcVySvx2nXFsr0g/8VhNZ5+guMih47VGSwOFxIoZm
OHkMnErU/eHDqfP9+Z1/U8ebY/fdiQByMulB2Aj7aI02mQ1UYZHLiD607NM6Whr3
86WuGSIrimp7Xwjg2LbWNLAqBD+EnFOowTDUk3fBUvcnmakujH/1N/tQ9+cdMQce
V0X5NA+PDZn/RUO8nqOH69QfULk+jC7j+ltn9T8mdF5XQUim1jSdFCo6H0XPQlUT
fDxFqRiwPyhpDrT9oam50HJ+LJ1gtlLzsK8vv1guS3SnZJNIpTzEyMk+CxAeylFQ
VSmDilGnkogpTRGuNGm75eqJ+Ou2TFSywIfx+AOAcuGWLFIBlJyLZ3P1YQG/gm7c
K4TBmF70PEUl4KBCqshhVaGx9utUDhnacBGB5uL8hWMXWc4O+h8QLhP7OkHiETgH
+KqQpJTvoVEcUclJuoGQ5hPyfAM5XyTZrnj+WZH+/QO4mEcloeI=
=Bbye
-----END PGP SIGNATURE-----