pfSense 2.4.1 Clickjacking

2017.11.26
Credit: Yorick Koster
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

------------------------------------------------------------------------ Clickjacking vulnerability in CSRF error page pfSense ------------------------------------------------------------------------ Yorick Koster, November 2017 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on pfSense version 2.4.1. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ pfSense 2.4.2-RELEASE was released that addresses the Clickjacking issue. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html

References:

https://www.securify.nl/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top