Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-15_06.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI

Back to Search

pfSense: pfSense-SA-15_06.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
05/25/2015
Created
07/25/2018
Added
08/25/2017
Modified
03/27/2020

Description

Multiple Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense WebGUI. * Stored XSS via the "descr" parameter in /usr/local/www/system_authservers.php (Found by Nicholas Starke) * Stored XSS via the "proxypass" parameter in /usr/local/www/system_advanced_misc.php (Found by Nicholas Starke) * Stored XSS via the "smtpport" parameter in /usr/local/www/system_advanced_notifications.php (Found by Nicholas Starke) * Reflected XSS via the "zone" parameter in /usr/local/www/services_captiveportal_zones.php when deleting a zone (Found by William Costa) * Reflected XSS via the "adaptiveend", "adaptivestart", "maximumstates", "maximumtableentries", and "aliasesresolveinterval" parameters in /usr/local/www/system_advanced_firewall.php (Found by Nicholas Starke) * Reflected XSS via the "proxyurl", "proxyuser", and "proxyport" parameters in /usr/local/www/system_advanced_misc.php (Found by Nicholas Starke) * Reflected XSS via the "srctrack", "use_mfs_tmp_size", "use_mfs_var_size" parameters in /usr/local/www/system_advanced_misc.php (Found internally) * Reflected XSS via the "name", "notification_name", "ipaddress", "password", "smtpipaddress", "smtpport", "smtpfromaddress", "smtpnotifyemailaddress", "smtpusername", and "smtppassword" parameters in /usr/local/www/system_advanced_notifications.php (Found by Nicholas Starke) * XSS via the "port", "snaplen", "count" parameters in /usr/local/www/diag_packet_capture.php (Found internally) * XSS via the "pppoe_resethour", "pppoe_resetminute", "wpa_group_rekey", "wpa_gmk_rekey" parameters in /usr/local/www/interfaces.php (Found internally) * XSS via the "pppoe_resethour", "pppoe_resetminute" parameters in /usr/local/www/interfaces_ppps_edit.php (Found internally) * XSS via the "member" array parameter in /usr/local/www/interfaces_qinq_edit.php (Found internally) * XSS via the "port", "retry" parameter in /usr/local/www/load_balancer_pool_edit.php (Found internally) * XSS via the "pkgrepourl" parameter in /usr/local/www/pkg_mgr_settings.php (Found internally) * XSS via the "zone" parameter in /usr/local/www/services_captiveportal.php (Found internally) * XSS via the "port" parameter in /usr/local/www/services_dnsmasq.php (Found internally) * XSS via the "server" array parameter in /usr/local/www/services_ntpd.php * XSS via the "port" parameter in /usr/local/www/services_unbound.php (Found internally) * XSS via the "cache_max_ttl", "cache_min_ttl" parameters in /usr/local/www/services_unbound_advanced.php (Found internally) * XSS via the "sshport" parameter in /usr/local/www/system_advanced_admin.php (Found internally) * XSS via the "id", "tunable", "descr", "value" parameters in /usr/local/www/system_advanced_sysctl.php (Found internally) * XSS via the "firmwareurl", "repositoryurl", "branch" parameters in /usr/local/www/system_firmware_settings.php (Found internally) * XSS via the "pfsyncpeerip", "synchronizetoip", "username", "passwordfld" parameters in /usr/local/www/system_hasync.php (Found internally) * XSS via the "maxmss" parameter in /usr/local/www/vpn_ipsec_settings.php (Found internally) * XSS via the "ntp_server1", "ntp_server2", "wins_server1", "wins_server2" parameters in /usr/local/www/vpn_openvpn_csc.php (Found internally) * Multiple XSS issues were identified in obsolete/unused files. These have been removed: /usr/local/www/load_balancer_relay_action.php /usr/local/www/load_balancer_relay_action_edit.php /usr/local/www/load_balancer_relay_protocol.php /usr/local/www/load_balancer_relay_protocol_edit.php (Found internally) Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;