Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

pfSense 2.3.1-RELEASE-p1 Squid 0.4.16_2 XSS / Log Manipulation

🗓️ 17 Jun 2016 00:00:00Reported by Remco SprootenType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

Multiple vulnerabilities in pfSense 2.3.1-RELEASE-p1 Squid 0.4.16_2. XSS and log manipulation issu

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
I. VULNERABILITY  
- -------------------------  
Multiple vulnerabilities in squid 0.4.16_2 running on pfSense  
Version 2.3.1-RELEASE-p1  
  
II. BACKGROUND  
- -------------------------  
The pfSense project is a free network firewall distribution, based on the  
FreeBSD operating system, with a custom kernel and an array of third-party  
free software packages that can be installed for additional functionality.  
Through this package system pfSense software is able to provide most of  
the functionality of common commercial firewalls, and many times more.  
  
III. DESCRIPTION  
- -------------------------  
In pfSense, it is possible to configure a third-party package, Squid, to  
act as a transparent HTTP proxy. This package uses clamd as an AV  
solution.  
  
If clamd detects a piece of malware in one of the proxied requests, the  
request is blocked and the user is redirected to the following URL  
instead:  
  
https://10.10.10.1/squid_clwarn.php?url=http://www.eicar.org/download/eicar.com&source=10.10.10.100&user=-&virus=stream:%20Eicar-TestSignature%20FOUND  
  
Upon inspection of the source code of the Squid package, the file  
"squid_clwarn.php" appears to contain several vulnerabilities.  
At the start of the file we see that various HTTP GET parameters are  
loaded into local variables through the $_REQUEST superglobal:  
  
==========================================================================  
$url = $_REQUEST['url'];  
$virus = ($_REQUEST['virus'] ? $_REQUEST['virus'] : $_REQUEST['malware']);  
$source = preg_replace("@/-@", "", $_REQUEST['source']);  
$user = $_REQUEST['user'];  
==========================================================================  
  
These variables are later rendered directly into HTML output, without any  
form of escaping, thus resulting in a reflected XSS vulnerability.  
  
Proof of Concept:  
https://10.10.10.1/squid_clwarn.php?url=xyz&source=xyz&user=&virus=stream:<script>alert('xss')</script>  
  
The information sent in this HTTP GET request is also saved to a log file:  
==========================================================================  
error_log(date("Y-m-d H:i:s") . " | VIRUS FOUND | " . $virus . " | " .  
$url . " | " . $source . " | " . $user . "\n", 3,  
"/var/log/c-icap/virus.log");  
==========================================================================  
  
An administrator who looks at the logs through the pfSense web-GUI, at  
"squid-monitor.php", will be open to a stored XSS vulnerability, because  
the variables are rendered directly into HTML output, without proper  
escaping:  
  
Finally, there is no authentication present in the "squid_clwarn.php"  
file, resulting in possible log manipulation attacks. For example,  
requesting the following URL will result in an empty log entry being  
added.  
  
Proof of Concept:  
https://10.10.10.1/squid_clwarn.php?url=%0A|||||  
  
IV. BUSINESS IMPACT  
- -------------------------  
An attacker can execute arbitrary JavaScript code in a targeted  
user's browser, as well as any administrators viewing the log files  
through the pfSense web-GUI.  
  
V. SYSTEMS AFFECTED  
- -------------------------  
Tested on:  
2.3.1-RELEASE-p1 (amd64)  
built on Wed May 25 14:53:06 CDT 2016  
FreeBSD 10.3-RELEASE-p3  
  
With:  
squid 0.4.16_2  
  
VI. SOLUTION  
- -------------------------  
Upgrade squid to version 0.4.18.  
  
VII. REVISION HISTORY  
- -------------------------  
June 10, 2016: Initial release  
  
VIII. DISCLOSURE TIMELINE  
- -------------------------  
June 7, 2016: Vulnerability discovered by Remco Sprooten  
June 7, 2016: Contacted vendor  
June 7, 2016: Vendor confirmed the vulnerability  
June 7, 2016: Vendor fixed the XSS vulnerabilities  
June 8, 2016: Vendor updated to fix to prevent false log entries  
June 16, 2016: Vendor released a SA:  
https://www.pfsense.org/security/advisories/pfSense-SA-16_06.squid.asc  
June 17, 2016: Sent to lists  
  
IX. REFERENCES  
- -------------------------  
Devel (pfSense 2.4 packages):  
https://github.com/pfsense/FreeBSD-ports/commit/e99ba5ea416690285a4ab3e094c4b2c0fb20c735  
https://github.com/pfsense/FreeBSD-ports/commit/442b7dd6b6e3ff8976f88ab1f168d365cdebe520  
  
RELENG_2_3_1 (pfSense 2.3.1_x packages):  
https://github.com/pfsense/FreeBSD-ports/commit/e2a02e3773f33d0bd9f450ffb0d9cfd7215791b8  
https://github.com/pfsense/FreeBSD-ports/commit/408eb385c5696a271945226bb10c77dc2231793c  
  
RELENG_2_3 (pfsense 2.3.2 packages):  
https://github.com/pfsense/FreeBSD-ports/commit/90bcaee8d8315e4026e2afed2ea7c6fdd55ffd20  
https://github.com/pfsense/FreeBSD-ports/commit/d581d14a7a88027655719c8ad3f9bed7c2f7585f  
  
RELENG_2_3_0 (pfSense 2.3_x packages):  
https://github.com/pfsense/FreeBSD-ports/commit/e82ef1c5b43ab4fd1117966d0de881655958f1f3  
https://github.com/pfsense/FreeBSD-ports/commit/b301844cadcb2887c788be38eadc9b50ea5b8d52  
  
X. LEGAL NOTICES  
- -------------------------  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
  
XI. ABOUT  
- -------------------------  
Remco Sprooten  
Security Consultant  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2  
  
iQIcBAEBCAAGBQJXYzAjAAoJEMAbBFdxLTwF2jUQAKAtkzMaeK0svql8mWx4dcyC  
CJaNe1tiYfjl9tIv7ywSFzGh3Bq7WdcxiOVgDEj+0Co5+H8B2+EslezJg6636BMP  
svOq57xpEo7qMqnnRGpJAI1Ytyky+nUI+aSr472vuuwEFiXg7rmJx2UsfFPcoQDG  
YgfUtLwrYdkLatq5RBX38Q3I6KWHFNgflcp7RHvbi+3/CcOYzBkYhoQRm7faZIgN  
n74ymI2+PFq3pvhLnOLRtKLftVro5n0XmK/ADFVIcC7Mw1gOalvREkCi0He8dYoE  
mdr9oPNESKFcVadFgrJiO/KTdcc+DwYuU+p+yYF7pMGvLLEGUQJPdIcfd2n5AS1D  
4Y8kdmIOJPmzCWsWJ8LZRu/kLy3H/jaDZlBkhOElbQk2Z+h0KxeCNDeatxtopGpn  
jizuDqrhTrBw3prQRWn/zvCeuuA/EFtVrMFcL0k04ilHa+543m9abXshKQss8S89  
eUvsDQNgz4hWPw46Ptp2NBpUwyrci2QW8mZG1iKvjrycW7GVN80dfs+sdf5EcJuX  
DYJQ7qAyIDnUBOQgcEvzRnn+oD7JlvCqFhKfASlK8S9BlzSD9qAJydh8sfliaH0r  
LnUOJd3ucBqM5OrscHPnrMD7siXsy54ZEMiAVZP/D6H29uNL1QmEN/fr4uUjpaZC  
N1qM2bqWy4u471A2GKN8  
=ih9y  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Jun 2016 00:00Current
7.4High risk
Vulners AI Score7.4
pfsensesquidxsslog manipulationfreebsdvulnerabilityclamdfirewallweb-guiav solution
32