Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in the pfSense Status_Traffic_Totals package. Specifically, the 'start-day' parameter in the /usr/local/www/status_traffic_totals.php file is not validated or sanitized before being displayed back to users. An attacker with at least 'WebCfg - Status: Traffic Totals' permissions can inject malicious HTML or script code into this parameter, which is then saved and displayed to all users visiting the Status Traffic Totals page, leading to stored XSS attacks. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an authenticated attacker to execute arbitrary scripts in the browsers of users who visit the affected Status Traffic Totals page. This can lead to session hijacking, defacement, or other malicious actions performed on behalf of the victim user. Since the malicious code is stored and displayed to all users, it can affect multiple users and compromise the integrity and security of the pfSense web interface. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the 'start-day' parameter in the /usr/local/www/status_traffic_totals.php page accepts non-numeric or HTML-related characters without validation, which could indicate the presence of the stored XSS vulnerability. To detect exploitation attempts or presence, you can monitor HTTP requests to this page for suspicious 'start-day' parameter values containing script tags or HTML. For example, using command-line tools like curl or grep: 1) Use curl to send a request with a test XSS payload in the 'start-day' parameter and observe if it is reflected unsanitized: curl -i -X POST -d "start-day=<script>alert(1)</script>" https://your-pfsense/status_traffic_totals.php 2) Use grep or similar tools on web server logs to find requests with suspicious 'start-day' values: grep "start-day=<script" /var/log/nginx/access.log or /var/log/httpd/access_log 3) Additionally, check the configuration or saved defaults for the 'start-day' parameter to see if any malicious values are stored. These steps help detect if the vulnerability is present or exploited on your system. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the pfSense Status_Traffic_Totals package to a fixed version where input validation is enforced. Specifically, upgrade to pfSense Plus versions 25.07.1 or 25.07, or Community Edition versions 2.8.1 or 2.8.0 or later, where the vulnerability has been patched. The patch enforces strict validation on the 'start-day' parameter and other inputs to prevent stored XSS. Additionally, restrict access to the Status Traffic Totals page to only trusted authenticated users with necessary permissions, and monitor for suspicious input values. If an update is not immediately possible, consider disabling or restricting access to the affected page as a temporary workaround. [1, 2]

Useful 0 Not Useful 0