Skip to content

Instantly share code, notes, and snippets.

@dharmeshbaskaran
Created July 12, 2021 19:43
Show Gist options
  • Save dharmeshbaskaran/55d546496bfb0ba28117e846d8b785db to your computer and use it in GitHub Desktop.
Save dharmeshbaskaran/55d546496bfb0ba28117e846d8b785db to your computer and use it in GitHub Desktop.
Authenticated Stored XSS in pfSense 2.4.4-p2
=============================================================================
pfSense-SA-19_04.webgui Security Advisory
pfSense
Topic: XSS vulnerability in the WebGUI
Category: pfSense Base System
Module: webgui
Announced: 2019-05-20
Credits: Dharmesh Baskaran -- https://www.linkedin.com/in/dharmeshbaskaran
CVE ID: CVE-2020-19203
Affects: pfSense software versions <= 2.4.4-p2
Corrected: 2019-05-08 20:44:26 UTC (pfSense/master, pfSense 2.5.0)
2019-05-08 20:44:26 UTC (pfSense/RELENG_2_4_4, pfSense 2.4.4-pX)
URL: https://pfsense.org/security/advisories/pfSense-SA-19_04.webgui.asc
https://redmine.pfsense.org/issues/9507
I. Background
pfSense® software is a free network firewall distribution based on the
FreeBSD operating system. The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.
The majority of users of pfSense software have never installed or used a stock
FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge. The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.
II. Problem Description
A Cross-Site Scripting (XSS) vulnerability was found in
widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software
WebGUI, on version 2.4.4-p2 and earlier.
The widget did not encode the descr (description) parameter of wake-on-LAN
entries in its output, leading to a possible stored XSS.
III. Impact
Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.
IV. Workaround
No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Do not give firewall administrators access to pages or functions which allow
writing arbitrary files to the firewall.
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
administrative web browsing.
V. Solution
Users can upgrade to version 2.4.4-p3 or later. This upgrade may be performed in
the web interface or from the console.
See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html
Users may also apply the relevant revisions below using the System Patches
package to obtain the fix.
See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
VI. Correction details
The following list contains the correction revision commit ID for each
affected item.
Branch/path Revision
- - -------------------------------------------------------------------------
pfSense/master 5789a02eab9b2ebbcb1f28d1d037b408b436a853
pfSense/RELENG_2_4_4 5b5bb2483cd955084809e877d56e620fe433dd1d
- - -------------------------------------------------------------------------
VII. References
<URL:https://redmine.pfsense.org/issues/9507>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment