CVE CyberSecurity Database News

CVE-2023-44275 - XSS Vulnerability in OPNsense Dashboard (index.php column_count parameter)

Poster -

A recent vulnerability, CVE-2023-44275, has been discovered in OPNsense firewall software, which could allow an attacker to execute malicious JavaScript code through a Cross-Site Scripting (XSS) attack. This post is a deep-dive into how this issue works, how to exploit it, and most importantly, how to protect yourself if you are using OPNsense before version 23.7.5.

What is OPNsense?

OPNsense is an open-source, FreeBSD-based firewall and routing platform known for its rich web interface and strong security features. It's used by home users, small businesses, and even some enterprise networks.

About CVE-2023-44275

In OPNsense versions before 23.7.5, the dashboard’s index.php file does not properly sanitize the column_count parameter. Because of this oversight, someone can inject arbitrary JavaScript code that will run in the browser—an XSS (Cross-Site Scripting) attack.

- Impact: If a logged-in admin is tricked into clicking a malicious link, the attacker’s script can run with admin privileges in the browser session. This could let the attacker steal session cookies, change firewall settings, or even open up your network.

Let’s look at the vulnerable code

// index.php (simplified example)
$column_count = $_GET['column_count'] ?? 2;
echo "<div class='dashboard' data-columns='{$column_count}'>";

Notice that $column_count from the URL is printed directly into the page without any escaping or sanitization.

If someone visits:
https://your-opnsense-host/index.php?column_count=2%20onmouseover=alert(1)

The resulting HTML will look like

<div class='dashboard' data-columns='2 onmouseover=alert(1)'>

Now, if a user hovers over the dashboard, the JavaScript alert(1) pops up. In a real attack, this could do much more.

An attacker can send the following crafted URL to a logged-in administrator

https://your-opnsense-firewall/index.php?column_count=2%20onmouseover=alert(document.cookie)

What happens:
When the admin opens this link and hovers over the dashboard element, the browser will show an alert containing the admin's session cookie (or worse, silently send it off to the attacker).

Advanced Exploit:
Attackers could inject more complex payloads, such as making changes to the firewall, adding backdoor rules, or defacing the dashboard.

`

https://your-opnsense-firewall/index.php?column_count=2%20onmouseover=alert('XSS')

Official Patch

The OPNsense team fixed this in version 23.7.5. The patch escapes the column_count value before inserting it into the page.

You can find the updates and changelog here:
- OPNsense 23.7.5 Release Notes
- GitHub Commit

References

- CVE-2023-44275 @ NVD
- OPNsense Security Advisories
- OPNsense Github Repo

Summary

CVE-2023-44275 is a serious XSS vulnerability in OPNsense’s Lobby Dashboard. The exploit takes advantage of unsanitized user input via the column_count parameter in the URL. If you run OPNsense below version 23.7.5, upgrade immediately to avoid potential attacks.

Stay safe, keep your firewall updated, and always be suspicious of strange links, even inside your own network.


*This post is exclusive and written in simple, straightforward language to help everyone understand the risks and solutions. Please share responsibly.*

Timeline

Published on: 09/28/2023 05:15:00 UTC
Last modified on: 10/02/2023 18:42:00 UTC