pfSense Cross Site Scripting and Security Bypass Vulnerabilities
BID:51169
Info
pfSense Cross Site Scripting and Security Bypass Vulnerabilities
| Bugtraq ID: | 51169 |
| Class: | Unknown |
| CVE: |
CVE-2011-4197 CVE-2011-5047 |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 22 2011 12:00AM |
| Updated: | Mar 19 2015 09:30AM |
| Credit: | Jan Fischbach of Secunia and Florent Daigniere from Matta Consulting. |
| Vulnerable: |
BSD Perimeter pfSense 2.0 |
| Not Vulnerable: |
BSD Perimeter pfSense 2.0.1 |
Discussion
pfSense Cross Site Scripting and Security Bypass Vulnerabilities
pfSense is prone to a cross-site scripting and a security-bypass vulnerability.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The attacker may leverage the security bypass issue to bypass certain security restrictions and perform unauthorized actions.
pfSense 2.0 is vulnerable; other versions may also be affected.
pfSense is prone to a cross-site scripting and a security-bypass vulnerability.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The attacker may leverage the security bypass issue to bypass certain security restrictions and perform unauthorized actions.
pfSense 2.0 is vulnerable; other versions may also be affected.
Exploit / POC
pfSense Cross Site Scripting and Security Bypass Vulnerabilities
An attacker can exploit some of these issues using a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim into following a malicious URI.
An attacker can exploit some of these issues using a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim into following a malicious URI.
Solution / Fix
pfSense Cross Site Scripting and Security Bypass Vulnerabilities
Solution:
Updates are available. Please see the references for more details.
Solution:
Updates are available. Please see the references for more details.
References
pfSense Cross Site Scripting and Security Bypass Vulnerabilities
References:
References:
- 2.0.1 release now available! (pfSense)
- pfSense Homepage (BSD Perimeter LLC )
- pfSense x509 Insecure Certificate Creation (Matta Consulting)