A critical Cross-Site Scripting (XSS) vulnerability has been discovered in pfSense CE before 2.6. and pfSense Plus before 22.01. The vulnerability specifically exists in the /usr/local/www/pkg.php file, which improperly utilizes the $_REQUEST['pkg_filter'] parameter in a PHP echo call. This improper usage results in a potential XSS attack, which could lead to stolen login credentials, unauthorized access, and more.

Technical Details

The root cause of this issue is the /usr/local/www/pkg.php file that includes an unsafe usage of the $_REQUEST superglobal array. To better understand the problem, here's a code snippet from the vulnerable file:

<?php
// pkg.php - (part of pfSense)
[...]
$pkgFilter = (isset($_REQUEST['pkg_filter'])) ? $_REQUEST['pkg_filter'] : '';
?>
[...]
<input class="form-control" type="text" id="packagesFilterInput" name="pkg_filter" value="<?= $pkgFilter ?>"></input>

As we can see from the code snippet above, the $_REQUEST['pkg_filter'] parameter is not sanitized before being used in the echo call (). This leaves the door wide open for an attacker to craft a specially-formatted URL that includes malicious JavaScript payload, which would execute in the context of the target user's session.

Exploitation

To exploit this vulnerability, an attacker could send a malicious link to the target user with a payload similar to the following:

https://TARGET-PFSENSE-IP/pkg.php?pkg_filter=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

Upon clicking the link, the target user would be redirected to their pfSense web administration interface with the malicious JavaScript payload injected into the "pkg_filter" parameter. Once rendered by the browser, the payload would execute in the context of the user's session, potentially leading to stolen credentials or other sensitive information.

Mitigation

To mitigate this issue, users running affected versions of pfSense (CE before 2.6. and Plus before 22.01) should immediately upgrade to the latest version. This update contains a fix for the vulnerability described in this post.

You can follow the upgrade guide provided by pfSense in their official documentation

1. pfSense CE - Upgrading pfSense CE
2. pfSense Plus - Upgrading pfSense Plus

Original References

1. CVE-2022-23993 - NVD
2. pfSense Release Announcement
3. pfSense Security Advisories

Stay informed and ensure your systems are updated to the latest versions to keep them secure.

Timeline

Published on: 01/26/2022 19:15:00 UTC
Last modified on: 04/29/2022 19:32:00 UTC