Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-14_17.webgui: Multiple Cross-Site Request Forgery protection bypass vulnerabilities in the pfSense WebGUI

Back to Search

pfSense: pfSense-SA-14_17.webgui: Multiple Cross-Site Request Forgery protection bypass vulnerabilities in the pfSense WebGUI

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
08/08/2014
Created
07/25/2018
Added
08/25/2017
Modified
03/27/2020

Description

Multiple Cross-Site Request Forgery protection bypass vulnerabilities were discovered in the pfSense WebGUI during a security audit. * DNS queries and alias creation are executed with a GET request that lacks CSRF protection on diag_dns.php * Configuration restore and deletion actions on diag_confbak.php are executed with a GET request that lacks CSRF protection. Due to the lack of CSRF validation on the affected actions and pages, a CSRF attack could executed in the user's browser to trigger an unwanted action. Loading the diag_dns.php page with the "host" parameter defined performs a DNS request via GET request. This may cause unintended network activity, a DNS host lookup of the supplied name. When a site returns multiple hosts in a DNS result on diag_dns.php, a feature is activated that allows the creation of a firewall alias from the result. This alias is created by following a GET link that does not have any CSRF protection. A CSRF attack could lead to the creation of this alias unintentionally. When selecting a configuration to restore or delete from diag_confbak.php the request was handled via GET and was not protected against CSRF. An attacker could cause the user to follow a link which would restore an older firewall configuration or delete an older configuration backup unintentionally.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;