-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-24_08.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Stored XSS vulnerability in Interface Groups in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2024-11-13
Credits:        Github user physicszq
Affects:        pfSense Plus software versions <= 24.03
                pfSense CE software versions <= 2.7.2
Corrected:      2024-10-14 14:44:59 UTC (pfSense Plus master, 24.11)
                2024-10-14 14:44:59 UTC (pfSense CE master, 2.8.0)

0.   Revision History

v1.0  2024-11-13 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential Cross-Site Scripting (XSS) vulnerability was identified in
Interface Groups.

When submitting interface group members on interfaces_groups_edit.php the member
list was not validated before it was stored in the configuration. The group
member list is then printed without encoding on interfaces_groups.php, leading
to a potential stored XSS.

This problem is present on pfSense Plus version 24.03, pfSense CE version 2.7.2,
and earlier versions of both.

III. Impact

Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Limit access to the affected pages to trusted administrators only.
* Do not grant users write access to the configuration unnecessarily.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users can upgrade to pfSense Plus software version 24.11 or later, or pfSense CE
software versions after 2.7.2 when available. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 24.03 and pfSense CE version 2.7.2 may apply the
fix from the recommended patches list in the System Patches package.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each affected
item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   9a843098cf3f28c27c3e615c4c788c84bd29df6f
pfSense/master                     9a843098cf3f28c27c3e615c4c788c84bd29df6f
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/15778>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-24_08.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmc1DYcACgkQE7mH/ZIU
+Nqs1g/8C5hmImsjUCXP8vHlU3RYKACpSHNLXWQM1se5V/GewCgJQL88+ddWQxev
9mzsAZ6AnODA3y2QB760ypwMrNSKkyi+Urgl9OQSLmAKUoEfruWQF1JMQ7CE627E
D3H0Ig1R1jgx9l+SUUncHz/7lLwVYjhyphXHLlZtxD3+OSUoxWWLki/V8LBsR1AA
B0/Y95W+M8yDdWkIXuXZI2uXX3T6pHeqLhuqygfYAADgXy2xZ2omRoCT7ltdJbwA
ystYUme7106vXSz4fTbBANxfI+czxXSUe0OTNVcHzXeY37mfyD8Gz7kFPLE5npeU
jc/mMpChmZcooeS/qy9X2D5PjdrzmXhmjKjwvJt/AJN9rEdN4xNjT1DsdxQam6Xq
EKbLn/Pb3jUu9BWA0JoLQNXhxzdvE+9HSJGEfcdLhn5lm8MN/mt/IDNJphNETVtu
JTqZqZ6HCF4lEcCDKbxSsZuegEyMf9rHBeO4XWpQuUEimkIGXegZWNQgiFoAzC7p
HDUYCPXRKj7qq6Sz2AD2wUrwj37mEutFH5baiVOCe9sZWBxFJ9SVwXzrj6+qsK2A
PigjafoGueubLUbK4bNV11FUpSnUM6DfpnW9FRt61naSvoD0sytD/VjUA70mjOym
Skmis28G6gv1z/KM6oM9ptlYUib34SEvyMW5hOPpAgJyolx6f9o=
=dPVd
-----END PGP SIGNATURE-----