------------------------------------------------------------------------ Clickjacking vulnerability in CSRF error page pfSense ------------------------------------------------------------------------ Yorick Koster, November 2017 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on pfSense version 2.4.1. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ pfSense 2.4.2-RELEASE was released that addresses the Clickjacking issue. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html