pfSense: pfSense-SA-15_08.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI

Description

Multiple Stored Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense WebGUI. The "Descriptive Name" field of Limiters, Layer 7 Containers, and ALTQ Traffic Shaper queues were not encoded properly in certain cases. As a result, stored XSS was possible when values entered in these fields were displayed to the user. The stored "Current Category" selection for RRD Graphs was not encoded before being displayed to the user. As a result, stored XSS was possible. The stored description values of OpenVPN instances (clients and servers) were not encoded before being displayed to the user. As a result, stored XSS was possible. The stored Description field on Aliases, along with their detailed item descriptions were not encoded before being displayed to the user. As a result, pages that included Alias detail tooltips such as Firewall Rule and NAT Rule lists had a potential for stored XSS. When attempting to delete an alias, the Description of a firewall rule was not encoded before being displayed to the user. As a result, stored XSS was possible. The text of GUI notifications was not being sanitized before being displayed to the user. As a result, stored XSS was possible via notification text, such as a rule description when an alias cannot be resolved. The descriptive name of an authentication server entry was not being sanitized before being displayed to the user. As a result, stored XSS was possible on several pages that utilized authentication server entries. The description of Load Balancer pools and virtual servers was not being sanitized before being displayed to the user. As a result, stored XSS was possible on several pages that displayed the description. The mode parameter of a Load Balancer Pool entry was not being validated before being stored or sanitized before being displayed to the user. As a result, stored XSS was possible on pages that displayed the mode. The relay_protocol parameter of a Load Balancer Virtual Server entry was not being validated before being stored or sanitized before being displayed to the user. As a result, stored XSS was possible on pages that displayed the relay_protocol text. List of affected pages for pfSense 2.2.x: In usr/local/www/ firewall_shaper_vinterface.php (Discovered by Nicholas Starke) firewall_shaper_layer7.php (Nicholas Starke) firewall_shaper.php (Internal) status_rrd_graph.php (Dhinesh Kumar) guiconfig.inc [Alias Tooltip] (Hari Hara Subramani, Internal) system_usermanager_settings.php (Sivathmican Sivakumaran) diag_authentication.php (Internal) vpn_ipsec_mobile.php (Internal) vpn_openvpn_server.php (Internal) List of affected pages on both pfSense 2.2.x and 2.3: In usr/local/www (2.2.x) or src/usr/local/www/ (2.3): status_openvpn.php (Dhinesh Kumar, Internal) firewall_aliases.php (Hari Hara Subramani) system_usermanager_settings_test.php (Internal) widgets/widgets/openvpn.widget.php (Dhinesh Kumar) load_balancer_pool.php (Dhinesh Kumar) load_balancer_pool_edit.php (Dhinesh Kumar) load_balancer_virtual_server.php (Dhinesh Kumar) load_balancer_virtual_server_edit.php (Dhinesh Kumar) status_lb_pool.php (Dhinesh Kumar) status_lb_vs.php (Dhinesh Kumar) widgets/widgets/load_balancer_status.widget.php (Dhinesh Kumar) In etc/inc/ (2.2.x) or src/etc/inc/ (2.3): etc/inc/functions.inc [GUI Notices] (Hari Hara Subramani) Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised.