-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-24_04.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in vendor files used by the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2024-04-22
Credits:        Li Jiantao of STAR Labs SG Pte. Ltd.
Affects:        pfSense Plus software versions <= 23.09.1
                pfSense CE software versions <= 2.7.2
Corrected:      2024-02-16 17:17:17 UTC (pfSense Plus master, 24.03)
                2024-02-16 17:07:42 UTC (pfSense CE master, 2.8.0)

0.   Revision History

v1.0  2024-04-22 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential Cross-Site Scripting (XSS) vulnerability was identified in
jquery-treegrid unit testing files.

The pfSense Plus and pfSense CE software GUI includes the jquery-treegrid
library for use in the disks widget on the Dashboard. The jquery-treegrid
library includes unit testing files for a bundled unit testing library (QUnit).
That unit testing library has multiple issues, including a known XSS
vulnerability.

This problem is present on pfSense Plus version 23.09.1, pfSense CE version
2.7.2, and earlier versions of both.

III. Impact

Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

These static vendor library files are accessible to users who are not logged
into the GUI. Only access to the web server at a network level is required.

IV.  Workaround

These vendor unit test files are not necessary to include in with the GUI as
they provide no function outside of testing and development.

To mitigate the problem on older releases, Remove the following files and
directories:

* /usr/local/www/vendor/jquery-treegrid/test.html
* /usr/local/www/vendor/jquery-treegrid/tests/
* /usr/local/www/vendor/jquery-treegrid/index.html

Additionally, ensure that access to the GUI web service is only allowed from
trusted management hosts and/or networks.

V.   Solution

Users can upgrade to pfSense Plus software version 24.03 or later, or pfSense CE
software versions after 2.7.2 when available. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 23.09.1 and pfSense CE version 2.7.2 may apply the
fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each affected
item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   4e8f6cedd9c4b32b24ac3619f84e33a9a4708a29
pfSense/master                     4e8f6cedd9c4b32b24ac3619f84e33a9a4708a29
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/15265>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-24_04.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmYivFcACgkQE7mH/ZIU
+No1URAAxVRHlO04VPKpxLpEEl35cS72QpNrkyqgNKghuWuNMWa0CFoavKbFCXcU
+Z557xJ0POMQSKa4peMOh2gF2vgkSjSceIzZze43lpLruM0PdgmSsv1a2IIYLF+c
s/uVQnbRaka9pv0vnOp3i5jYJ422mdUd7rQE9uzr8eU0ZeJp2OaOetP0f/kVRjAG
s83qMJj+13exa1hnUT25v9e1tWtcxS0x6Eqntq7qgYZDKhVZm31YrD6JX7+72II5
oLjYs0f2IuQKStx0hQ83/HCKToSKBq068/6IreD8phqZYyUvB/EBtxfDZ84jeZVt
5fvnpW8wZMde/XYMUNKSE51SBBg5zXltZd7mI4E0p++PKsJY5L8pv4EbO5TwAK2w
2p+jreZkYu75VBxDzndgK2YIs+zxXW2nqmPajMo5PlYT74c6wtQXdGLilcebueim
bCJOZ6Wy/aV3s/6zaWNtAqYUWzcPXcqTtQDQydLojXxWffYNlZOGkmjbdCuerp0n
sH2UJ5E0rVeX+PnjB4I4Vn94lJhXC2cgT3ac4/Z7rij7RUlxc9F6G9kZDy0h3Sej
EbbVDWG8xCvZgc/jVxIDSCxpkq5KAS6Yw6WPzALsuZWuMPVSZLRRPZ8z1g4Kj65B
cO33G03NRiNGrFrzSqjP5aITtBpxBMlI+pXyvNwnlz5zwkNh3/k=
=YXqr
-----END PGP SIGNATURE-----