Main conrainer

XSS, GET and POST

There is recent work converting pages in the pfSense software webGUI to use POST rather than GET. This work is scheduled to appear in pfSense software version 2.4.

While this work was spurred by the recent security issue that caused the pending release of pfSense software version 2.3.3, it isn’t specifically about closing XSS bugs. There are situations when you should use POST rather than GET, but just avoiding XSS isn’t one of them.  Even if what we’re talking about is XSRF, requiring POST doesn’t really protect the application. REST advocates would actually say that you shouldn’t just use GET in a web application, but rather that you should use POST, PUT and DELETE for the corresponding “CRUD” operations, operations that change the state of the application.

To specifically avoid XSS, a web app needs to escape and/or scrub content from users as appropriate.  To avoid XSRF, a web app has to require secret tokens on any side-effect causing operation that is potentially dangerous.  Note that is is a good idea to avoid using GET requests when passing secret tokens as this could result in them leaking in referrers.  Still, switching to post does help avoid XSS attacks.  As Wikipedia explains:

In HTTP GET the CSRF exploitation is trivial. For example, a simple hyperlink containing manipulated parameters and automatically loaded by a IMG tag. By the HTTP specification however, GET should be used as a safe method, that is, not significantly changing user’s state in the application. Applications using GET for such operations should be rewritten to use HTTP POST and/or use anti-CSRF protection.

Simplifying the above:

  • Use GET for read-only requests whenever possible. (pretty much whenever the query can fit in a URL)
  • Use POST (or PUT or DELETE, if feasible and appropriate) for write requests.

The process of conversion from using GET to POST has previously required a comprehensive re-write of the page, converting anchors into buttons and adding Javascript to handle the click event.  Jim Pingle recently found some code where someone had attempted to automate this in Javascript. While it was not suitable for what we needed, it sparked an idea, and that idea has now been implemented for pfSense 2.4.

The file pfSenseHelpers.js now contains code that intercepts clicks on anchor tags with the attribute “usepost” set. The target URL and the GET arguments are extracted from the event href attribute, and these are used to compose a new, temporary form with the previous arguments inserted as POST parameters.

Converting a page from GET to POST now only requires four steps:

  1. Replace $_GET with $_POST where appropriate
  2. Add the “usepost” attribute to anchors that have the href attributes set
  3. Fix any “if ($_POST)” instances (or similar)
  4. Test

Not all GET calls need to be replaced, in fact where the action involved is not harmful, such as “edit”, or “view” it is better to leave the GET or REQUEST in place. That way the action can be bookmarked and using the browser “Back” button is less frustrating.

Here is a simple example of a conversion:

Before:

<?php
  if ($_GET['act'] == "delete") {
    deleteGateway($_GET['id']);
  }

  if ($_POST) {
    if ($_POST['apply'] {
      write_nvram();
    } else {
      if (!save_config($id)) {
        $input_errors[] = "Something broke";
      }
    }
  }
?>

<a type="button" class="btn btn-danger" href="system_something.php?act=delete&id=<?=htmlspecialchars($id)?>" >
  <i class="fa fa-trash></i>
  <?=gettext("Delete")?>
</a>

After:

<?php
  if ($_POST['act'] == "delete") {
    deleteGateway($_POST['id']);
  }

  if ($_POST['apply']) {
    write_nvram();
  }

  if ($_POST['save']) { // The generic if ($_POST) is now if ($_POST['save'] to detect when the form is being saved
    if (!save_config($id)) {
      $input_errors[] = "Something broke";
    }
  }
?>

<!-- The "usepost" attribute is added to the anchor -->
  <a type="button" class="btn btn-danger" href="system_something.php?act=delete&id=<?=htmlspecialchars($id)?>" usepost>
  <i class="fa fa-trash></i>
  <?=gettext("Delete")?>
</a>

Most of the main body of pfSense software version 2.4 has been converted to use this scheme.  Now we need the help of the pfSense Community, to test the whole of the pfSense 2.4 web GUI, and file bugs on https://redmine.pfsense.org if inconsistent behavior is observed. Additionally, authors and maintainers of pfSense packages should convert their packages when possible.

We thank you in advance for your assistance and continued participation in the community around pfSense software.

Clock Signal Component Issue

Netgate has become aware of an issue related to a component manufactured by one supplier that affects some of our products. This is a widely-used component that is used by many companies around the world.

There is a lot of confusion and misinformation on the subject, and most systems will never experience the issue.  Those that do will not suddenly stop working, but if the component fails, the system will not successfully reboot. We are working with the component supplier and our manufacturing partner to resolve this issue as quickly as possible.

Although most Netgate Security Gateway appliances will not experience this problem, we are committed to replacing or repairing products affected by this issue for a period of at least 3 years from date of sale, for the original purchaser.

A board level workaround has been identified for the existing production stepping of the component which resolves the issue.  This workaround is being cut into production as soon as possible after Chinese New Year.  Additionally, some of our products are able to be reworked post-production to resolve the issue.

We apologize for the limited information available at this time. Due to confidentiality agreements, we are restricted in what we can discuss. We will communicate additional information as it becomes available.

As always, please be assured we will do the right thing for our customers at Netgate and the pfSense community.

pfSense® software translations with Zanata

Zanata is a web-based translation platform for managing localization projects. A lot of effort is expended in making sure that pfSense® software fully supports localization, but until today it has not been easy for people to contribute the actual translations. Now, however, the pfSense project has been added to the online, open-source Zanata platform and translating could hardly be easier!

The steps required to contribute your language skills to pfSense are simply:
  • Go to www.zanata.org
  • Click “Go to the App”
  • Click “Sign Up”
  • Create a user account
  • Send an email to sbeaver@netgate.com or to renato@netgate.com. Provide your Zanata username and the language you wish to contribute.

This will allow us to add you to the project as quickly as possible.

Zanata displays a table with the English language string on the left, and a space to enter the translated version on the right. It also provides auto-translation where it can, learning from previous translations as you work, as well as high quality suggestions that help to automate the translation. There is syntax checking (which understands printf, HTML etc,) a glossary and numerous collaboration tools.

We think that people will really enjoy working on the Zanata platform and can’t wait to start adding the results of that work to pfSense.
pfSense__2_4__to_Portuguese__Brazil__-_Zanata_Web_Translation

Portuguese (Brazil) translation under way

More details of the Zanata project can be found here: http://zanata.org/about/

Announcing a new trademark policy for pfSense

Many individuals in our community have posed questions regarding the sale of pfSense® software and the ‘rules’ surrounding open source licensing, trademark usage, logo display, etc.

Trademarks and service marks provide assurance about the source and quality of the goods or services with which the trademarks are associated. The pfSense marks are recognized the world over as a symbol of some of the most advanced, open source security technology. They serve to distinguish those products that are official pfSense, as produced by Netgate, from those produced by other entities.

Confusion can arise if the same or similar names are used in connection with someone else’s products or services that are similar to ours. Our protection of the pfSense Marks benefits the pfSense community, ensuring that you know that what you are receiving is authentic and genuine pfSense software and services.  In order to prevent market confusion regarding pfSense software, we have updated the pfSense trademark usage policy to address these situations more directly.

In order to preserve the spirit and meaning of pfSense as an open source project, we have modeled these guidelines after the Model Trademark Guidelines, as used by other widely-used open source software including CentOS, Ceph, and CloudRouter.  The Model Trademark Guidelines are designed to provide a range of choices that would be found lawful and enforceable under trademark law, that are consistent with FLOSS culture, and that respect the trademark owner’s desire to ensure that the software distributed under the trademark delivers a consistent user experience and meets the brand promise of the name.

By adopting these guidelines for the project, we are not trying to limit the lawful use of our trademarks, but rather describe for you what we consider the parameters of lawful use to be. Trademark law can be ambiguous, so we hope to provide enough clarity for you to understand whether we will consider your use licensed or non-infringing.  Stringently adhering to these guidelines benefits the entire community by ensuring quality products and software for your business or implementation.

We believe the steps taken with this new trademark policy will preserve and enhance the brand of the project while protecting it from malicious actors and questionable practices. Please help us maintain this work by aligning your use of our trademarks and logo in accordance with this policy.

I’ve got 99 problems, but a switch ain’t one.

If you’re havin’ loop problems I feel bad for you son, I got 99 problems but a switch ain’t one.

The SoC used for the SG-1000 (also known as “uFW”) includes an on-die 3 port gigabit Ethernet switch.   By leveraging VLANs, it’s possible to build a ‘router on a stick‘ on one board.  In order to make this switch as functional as possible, we decided to leverage the FreeBSD etherswitch(4) framework.  Support for the on-die switch on SG-1000 was directly upstreamed to FreeBSD in revision 309113.

Support for this framework then needed to be added to pfSense.   First support was added to the PHP module that provides the glue layer between FreeBSD and PHP via a series of commits. Here are two of them: 1 2. Once this was done, we could start designing the components of the web GUI. Switch_system.php shows which switches are attached to the system.  It has no controls.

pfSense_localdomain_-_Interfaces__Switch__System

Switch_ports.php show the ports available on the selected switch. Since the SG-1000 only has one switch, the selector that allows you to choose which switch you are looking at is hidden.

pfSense_localdomain_-_Interfaces__Switch__Ports

Multiple switches attached to one firewall causes a selector to appear so you can choose which one to work on.  Obviously there is only one switch on the SG-1000, but I’ve faked things here (“cd /dev: ln -s etherswitch0 etherswitch1”) to show the selector, and in order to show that we’re “thinking forward”.

pfSense_localdomain_-_Interfaces__Switch__VLANs (1)

The VLAN page allows you to view/create/edit a VLAN.

pfSense_localdomain_-_Interfaces__Switch__VLANs

Switch_vlans_edit.php allows you to create or edit a VLAN. Clicking on any port in the “Available ports” column adds it to, or deletes it from the “members” list.  While we accommodate up to 128 ports, this is a SG-1000, so there are only 3 ports to choose from.  There is some pretty fancy jQuery in this page.

pfSense_localdomain_-_Interfaces__Switch__VLANs__Edit

The SG-1000 is not the only product we have coming that has built-in switches. Here is a sneak peek at another.

IMG_8956 3

The systems you see in this photo are a Broadwell-DE with either 6 x 10G on SFP+ on top (bcc-1) or 16x1G on RJ45 (with 2 10Gbps uplinks), plus 4 x 10G on SFP+ on bottom (bcc-0).  Both systems additionally have 2 1Gbps Ethernet ports on SFP, as well as redundant power, 2 x M.2, miniPCIe 4 x SATA3 as 2.5″ drives, and a PCIe 3.0 x16 slot for expansion.  Both of these have QuickAssist cards installed, enabling high-speed encryption and compression, but bypass NICs (for IDS/IPS) will likely prove popular as well.

Both also contain a “uBMC“, which is remarkably similar to the SG-1000, and runs pfSense with support for our coming (but unannounced) remote management product.  In fact, the germination of the SG-1000 occurred because of uBMC.  We noticed that a lot of people (including us) use pfSense to control access to the IPMI/BMC ports on their servers in colocation, so we thought, “Why not put pfSense in the BMC?”

Of course, since pfSense software is open source, this means that you’re no longer beholden to your IPMI vendor for security patches and updates.  More details on those systems, uBMC and the remote management product will be provided in future posts.

 

24 x 7 Support now Available

Netgate®, the leading provider of open source security solutions and the host of the pfSense® open source firewall project is proud to announce the availability of professional 24×7 support for pfSense software.  

Our new extended support hours are available to all customers who have active pfSense software support incidents on their account.  Support incidents are available both for pfSense hardware purchased from Netgate and for customers who have installed pfSense CE on their own hardware.

Customers with active support incidents on their account are eligible to use telephone, chat and email to initiate a support request. With our new level of staffing and capability, we’re also happy to announce a reduction in our initial response service level agreement (SLA) from 24 hours to 8 hours.

Read the rest of this entry »

Happy 10th Anniversary to pfSense® Open Source Software

happy10thpfsense-blog

This month marks 10 years since the pfSense 1.0 Open Source firewall and router software distribution hit the Internet. With that release, one of the most successful open-source projects was born. Over the last 10 years, pfSense software has amassed a following and installed base of nearly 400,000. This is an amazing accomplishment by an open source project and it would not have been possible without the interest, engagement, and support of the entire pfSense community. This community includes the contributions of many developers, the support and funding by the host company Netgate, our customers, and the innumerable contributions by those who assist others on the forum or on IRC, have filed bug reports and followed up to test the relevant fixes, tested beta builds and release candidates, created or edited documentation, or written articles on how they use pfSense software. We are humbled by the interest, enthusiasm and trust that so many have for pfSense.  For all of this and more, we thank you!

Read the rest of this entry »

pfSense 2.3.2-p1 RELEASE Now Available!

We are happy to announce the release of pfSense® software version 2.3.2-p1!

This is a maintenance release in the 2.3.x series, bringing a number of bug fixes. The full list of changes is on the 2.3.2-p1 New Features and Changes page.

This release includes fixes for 34 bugs and 2 feature items completed.

If you haven’t yet caught up on the changes in 2.3.x, check out the Features and Highlights video. Past blog posts have covered some of the changes, such as the performance improvements from tryforward, and the webGUI update.

Read the rest of this entry »

2.4 pre-alpha snapshots now available.

pfSense® software version 2.4 pre-alpha snapshots are now available.

pfSense 2.4 will use FreeBSD 11 as a base, and 11.0-RELEASE has not yet occurred.  There will be additional work to use 11.0-RELEASE as a base.

More work at “reduction of technical debt” is occurring in 2.4.  We have decided to not carry forward the kernel patches for Captive Portal.  Instead, it is being re-written to use stock IPFW.  That work is only about 75% complete.  MPD4 needs to be converted to MPD5.  Simultaneously to these, work is occurring to convert several subsystems (e.g. radius) to use the PEAR equivalents:

Read the rest of this entry »

pfSense 2.3.2-RELEASE Now Available!

We are happy to announce the release of pfSense® software version 2.3.2!

This is a maintenance release in the 2.3.x series, bringing a number of bug fixes. The full list of changes is on the 2.3.2 New Features and Changes page.

This release includes fixes for 60 bugs, 8 features and 2 todo items completed.

If you haven’t yet caught up on the changes in 2.3.x, check out the Features and Highlights video. Past blog posts have covered some of the changes, such as the performance improvements from tryforward, and the webGUI update.

Read the rest of this entry »