Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-15_08.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI

Back to Search

pfSense: pfSense-SA-15_08.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
09/04/2015
Created
07/25/2018
Added
08/25/2017
Modified
02/20/2020

Description

Multiple Stored Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense WebGUI. The "Descriptive Name" field of Limiters, Layer 7 Containers, and ALTQ Traffic Shaper queues were not encoded properly in certain cases. As a result, stored XSS was possible when values entered in these fields were displayed to the user. The stored "Current Category" selection for RRD Graphs was not encoded before being displayed to the user. As a result, stored XSS was possible. The stored description values of OpenVPN instances (clients and servers) were not encoded before being displayed to the user. As a result, stored XSS was possible. The stored Description field on Aliases, along with their detailed item descriptions were not encoded before being displayed to the user. As a result, pages that included Alias detail tooltips such as Firewall Rule and NAT Rule lists had a potential for stored XSS. When attempting to delete an alias, the Description of a firewall rule was not encoded before being displayed to the user. As a result, stored XSS was possible. The text of GUI notifications was not being sanitized before being displayed to the user. As a result, stored XSS was possible via notification text, such as a rule description when an alias cannot be resolved. The descriptive name of an authentication server entry was not being sanitized before being displayed to the user. As a result, stored XSS was possible on several pages that utilized authentication server entries. The description of Load Balancer pools and virtual servers was not being sanitized before being displayed to the user. As a result, stored XSS was possible on several pages that displayed the description. The mode parameter of a Load Balancer Pool entry was not being validated before being stored or sanitized before being displayed to the user. As a result, stored XSS was possible on pages that displayed the mode. The relay_protocol parameter of a Load Balancer Virtual Server entry was not being validated before being stored or sanitized before being displayed to the user. As a result, stored XSS was possible on pages that displayed the relay_protocol text. List of affected pages for pfSense 2.2.x: In usr/local/www/ firewall_shaper_vinterface.php (Discovered by Nicholas Starke) firewall_shaper_layer7.php (Nicholas Starke) firewall_shaper.php (Internal) status_rrd_graph.php (Dhinesh Kumar) guiconfig.inc [Alias Tooltip] (Hari Hara Subramani, Internal) system_usermanager_settings.php (Sivathmican Sivakumaran) diag_authentication.php (Internal) vpn_ipsec_mobile.php (Internal) vpn_openvpn_server.php (Internal) List of affected pages on both pfSense 2.2.x and 2.3: In usr/local/www (2.2.x) or src/usr/local/www/ (2.3): status_openvpn.php (Dhinesh Kumar, Internal) firewall_aliases.php (Hari Hara Subramani) system_usermanager_settings_test.php (Internal) widgets/widgets/openvpn.widget.php (Dhinesh Kumar) load_balancer_pool.php (Dhinesh Kumar) load_balancer_pool_edit.php (Dhinesh Kumar) load_balancer_virtual_server.php (Dhinesh Kumar) load_balancer_virtual_server_edit.php (Dhinesh Kumar) status_lb_pool.php (Dhinesh Kumar) status_lb_vs.php (Dhinesh Kumar) widgets/widgets/load_balancer_status.widget.php (Dhinesh Kumar) In etc/inc/ (2.2.x) or src/etc/inc/ (2.3): etc/inc/functions.inc [GUI Notices] (Hari Hara Subramani) Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;