pfSense

The pkg_filter parameter on pkg.php is not encoded before being printed back to the user, leading to a potential XSS.

Additionally, submitting an invalid regex pattern prints an ugly PHP error on the page, for example:

Warning: preg_match(): Unknown modifier 'p' in /usr/local/www/pkg.php on line 456

Both problems are solved by sanitizing the content of the variable and also by removing unnecessary output of the variable in question.

The simplest way to reproduce the problem is:

• Install a package such as FreeRADIUS which uses the list feature of pkg.php on its Users tab.
• Create a user or two if none exist
• Submit a string in the "Filter text" field such as --><script>alert('XSS')</script><!-- to check for XSS and PHP error
• Submit a string in the "Filter text" field such as one/two to reproduce the PHP error without XSS

Before the fix is in place, the first test will produce a JavaScript alert with the text "XSS" along with a PHP error on the page above the "Filter by" line. The second test will produce the PHP error but not the JS alert.

After the fix is in place, neither string will produce an error and filter text that matches an existing account will filter the list appropriately.