-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-24_05.webgui Security Advisory pfSense Topic: XSS vulnerability in diag_edit.php file browser in the WebGUI Category: pfSense Base System Module: webgui Announced: 2024-11-13 Credits: Alexandre Lepage Affects: pfSense Plus software versions <= 24.03 pfSense CE software versions <= 2.7.2 Corrected: 2024-05-29 16:36:24 UTC (pfSense Plus master, 24.11) 2024-05-29 16:36:24 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2024-11-13 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential Cross-Site Scripting (XSS) vulnerability was identified in the file browser on diag_edit.php. The pfSense Plus and pfSense CE software GUI includes a file editor, diag_edit.php. This file editor includes a browsing function which allows administrators to navigate through files and directories on the firewall when selecting a file to edit. This file browser did not encode directory names before outputting them in the file/directory list or in the breadcrumb navigation. This problem is present on pfSense Plus version 24.03, pfSense CE version 2.7.2, and earlier versions of both. III. Impact A user with sufficient access to create directories with arbitrary names could break rendering of the page. Exploit potential is minimized by the fact that "/" is not valid in directory names so tags cannot be closed. Due to the lack of proper encoding on the affected directory names susceptible to XSS, there is still a small potential that arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not grant users write access to the filesystem unnecessarily. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 24.11 or later, or pfSense CE software versions after 2.7.2 when available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 24.03 and pfSense CE version 2.7.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 33f2ad2414b8a1246d511523b4ec0b67bbb224da pfSense/master 33f2ad2414b8a1246d511523b4ec0b67bbb224da - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmc2AC0ACgkQE7mH/ZIU +Nqe/A//eapvubXuQYNwHXJ7AENOlWmPF9HNLUkRYlvL7Z0boodVT/HXkCF8osTJ PIz4Vh/5xnrXgYnzZLVcJFnPRkg7sbJv/w3jabbDU4oc+UCWug5cCpVt//7lrAZA qEtFMVVi1UJxAdNa2yekH1IqMQ291/oseUB0NAsvHH/Fcnj0gO1df0IJEAZwVnKv ralz7DtObccUuUW1yVyH74MyL9WaS1tS+hVj03HBla+ctr5C7WxrVljEaVbLpjPw HMgq1FVjl1B2xtgOSIAOaxt9Tf+No1b6+3PJtYwBzWCQ5iSEyoVvgHxOE5YZDhfT LtnNteX5Ou5qXQPfj2MAcRyJ4kaL3VFgfu9vwMVR0v/CRx/mOQiRr/r5xPpNQ9yQ rkgVcn1Ykdko34Nyv58Hr9pyD/k5O5vdrSzTmeFtaaDMJXiHixNQRBU2Sxbgrloq xf7vjHUWzfnlOkkfXXsJbEVDv8/pZEgba91YfrriA8g27rh3mRZTRne3M7gOMVDq viLK5+PJ2QNKVcfH2r9Rm9ZHgNWEWTbb/PZGH4CC7CoBGYU/2iQLxvtfiyA7rKTl rp8INDuZq8JN+qOVzcjEGFGyInFIuxXodMUmzDRnIQcFbzu/W4GHm80croHjYpgC GDi+4GqumtmaKMAo+cRg5xuFu8oUyIkYgy8QqfCoI0chjPOOHDY= =9Y0f -----END PGP SIGNATURE-----