CVE-2019-25373
📋 TL;DR
This stored cross-site scripting vulnerability in OPNsense 19.1 allows authenticated attackers to inject malicious JavaScript into firewall rule pages. When other users view these pages, the attacker's scripts execute in their browsers, potentially stealing session cookies or performing actions as the victim. Only OPNsense administrators with firewall rule access are affected.
💻 Affected Systems
- OPNsense
📦 What is this software?
Opnsense by Opnsense
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control of the OPNsense firewall, modifies network rules, intercepts traffic, or pivots to internal networks.
Likely Case
Attacker steals administrator session cookies, gains persistent access to the firewall management interface, and modifies firewall rules to allow unauthorized access.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching user browsers, preventing execution.
🎯 Exploit Status
Exploit requires authenticated access. Public exploit code exists showing simple POST request with JavaScript payload in category parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 19.1.7 and later
Vendor Advisory: https://forum.opnsense.org/index.php?topic=11469.0
Restart Required: No
Instructions:
1. Update OPNsense via System → Firmware → Updates. 2. Click 'Check for updates'. 3. Install all available updates. 4. Verify version is 19.1.7 or newer.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to strip or escape HTML/JavaScript from category parameter before processing
# Requires modifying firewall_rules_edit.php to sanitize category input
# Example: $category = htmlspecialchars($_POST['category'], ENT_QUOTES, 'UTF-8');
Restrict Firewall Rule Access
allLimit which administrators can create/modify firewall rules to reduce attack surface
# In OPNsense GUI: System → Access → Users
# Modify user privileges to remove firewall rule editing capability
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing JavaScript in category parameter
- Monitor firewall rule changes and audit logs for suspicious category field entries
🔍 How to Verify
Check if Vulnerable:
Check OPNsense version via GUI (System → Firmware → Status) or CLI: 'opnsense-version'. If version is 19.1 and < 19.1.7, system is vulnerable.Check Version:
opnsense-versionVerify Fix Applied:
Confirm version is 19.1.7 or newer. Test by attempting to submit category parameter with <script>alert('test')</script> - should be properly escaped in output.📡 Detection & Monitoring
Log Indicators:
- POST requests to /firewall_rules_edit.php with script tags or JavaScript in category parameter
- Unusual firewall rule modifications from non-standard users
Network Indicators:
- HTTP requests containing <script> tags in POST body parameters
- Unexpected outbound connections from OPNsense management interface
SIEM Query:
source="opnsense.log" AND (uri="/firewall_rules_edit.php" AND (category CONTAINS "<script>" OR category CONTAINS "javascript:"))