CVE-2015-2294 in pfSense
Summary
by MITRE
Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) zone parameter to status_captiveportal.php; (2) if or (3) dragtable parameter to firewall_rules.php; (4) queue parameter in an add action to firewall_shaper.php; (5) id parameter in an edit action to services_unbound_acls.php; or (6) filterlogentries_time, (7) filterlogentries_sourceipaddress, (8) filterlogentries_sourceport, (9) filterlogentries_destinationipaddress, (10) filterlogentries_interfaces, (11) filterlogentries_destinationport, (12) filterlogentries_protocolflags, or (13) filterlogentries_qty parameter to diag_logs_filter.php.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/02/2022
The vulnerability described in CVE-2015-2294 represents a critical cross-site scripting weakness affecting the WebGUI interface of pfSense versions prior to 2.2.1. This issue stems from inadequate input validation and sanitization within multiple PHP scripts that handle user-supplied parameters, creating multiple attack vectors that could be exploited by remote threat actors to execute malicious code within the context of authenticated users' browsers. The vulnerability impacts the core administrative interface of pfSense, a widely deployed open source firewall and router platform that serves as a critical network security component in enterprise and organizational environments.
The technical flaw manifests through several distinct parameter injection points across different administrative pages within the pfSense WebGUI. Attackers can exploit the zone parameter in status_captiveportal.php to inject malicious scripts during captive portal status queries, while the if and dragtable parameters in firewall_rules.php allow for script injection during rule management operations. Additional attack vectors include the queue parameter during firewall shaper modifications in firewall_shaper.php, the id parameter during ACL editing in services_unbound_acls.php, and numerous parameters in diag_logs_filter.php that handle log filtering operations. These vulnerabilities collectively represent a failure to properly validate and sanitize user input before rendering it within web pages, directly correlating to CWE-79 which defines cross-site scripting flaws in web applications.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform a range of malicious activities including session hijacking, credential theft, and unauthorized administrative actions. An attacker who successfully exploits these vulnerabilities could gain persistent access to the firewall's administrative interface, potentially leading to complete network compromise. The remote nature of these attacks means that threat actors do not require physical access or network proximity to exploit the vulnerabilities, making them particularly dangerous in environments where pfSense appliances serve as critical network gateways. The impact is amplified by the fact that pfSense is commonly deployed in enterprise environments where these appliances control network traffic and security policies.
Mitigation strategies for CVE-2015-2294 primarily involve upgrading to pfSense version 2.2.1 or later, which includes comprehensive input validation fixes for all identified parameters. Organizations should also implement network segmentation and access controls to limit exposure, while monitoring for suspicious activity in firewall logs that might indicate exploitation attempts. The implementation of Content Security Policy headers and regular security audits of web applications can provide additional defense layers. From an ATT&CK framework perspective, this vulnerability maps to techniques involving web application exploitation and credential access, with potential lateral movement opportunities through compromised administrative sessions. Network administrators should also consider implementing web application firewalls and input validation mechanisms to provide additional protection against similar vulnerabilities in other applications within their infrastructure.