pfSense: pfSense-SA-17_05.webgui: Multiple XSS vulnerabilities in the WebGUI
Description
Cross-Site Scripting (XSS) vulnerabilities were found in three pages of the pfSense software WebGUI on version 2.3.4 and earlier. * On vendor/filebrowser/browser.php, which is part of the "Browse" function on diag_edit.php, the "filename" parameter can be used to trigger an XSS if a file exists with a specially-crafted name. In order to exploit this, a user must be able to write files with arbitrary names to the firewall and then coerce an administrator with GUI access to load that same file in diag_edit.php through the file browser. * On firewall_nat_edit.php, the "interface" parameter was not validated on save, so a specially-crafted submission could store an interface with a name that could trigger an XSS through the dst_change() JavaScript function on the page. * On diag_tables.php, the "type" parameter which contains the table name to display was not being validated against a list of current tables. The unvalidated parameter was submitted back via AJAX to load the invalid table, and was presented to the user unencoded. Due to the lack of proper encoding on the affected variable susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised.
Solution(s)
- pfsense-upgrade-latest
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center