Vigil@nce: pfSense, injection of HTML code
July 2008 by Vigil@nce
SYNTHESIS
An attacker can inject HTML code in the Firewall administration
interface.
Gravity: 2/4
Consequences: client access/rights
Provenance: intranet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 28/07/2008
Identifier: VIGILANCE-VUL-7974
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION
The DHCP protocol works with the following packet exchange:
– The client sends a DHCP_DISCOVER packet.
– The server sends a DHCP_OFFER packet.
– The client confirms the offer with a DHCP_REQUEST packet,
containing the hostname.
– The server acknowledges the transaction with a DHCP_ACK packet.
The pfSense Firewall offers a web administration interface
displaying computer names and IP addresses offered by DHCP.
Displayed hostname directly come from the DHCP request message and is displayed without ensuring it does not contain malicious
characters.
An attacker can therefore send a packet containing HTML code which
will be displayed when the webpage is opened.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-7974