PacketFence 3.2.0 brings new features, closes XSS hole

The PacketFence development team has published version 3.2.0 of its open source network access control (NAC) system. The release adds support for Ruckus Wireless Controllers, integrates the OpenVAS vulnerability assessment system for client-side policy compliance and adds a billing engine that enables the use of a payment gateway for gaining network access.

PacketFence allows organisations to increase control over their network by enforcing authentication and registration for newly connected devices. It also enables abnormal network activity detection and the isolation of troublesome devices. The system is administered via a command line or web-based management system and can be integrated with LDAP or ActiveDirectory service, Snort IDS and the Nesus vulnerability scanner.

The new version performs better as it avoids redundant operations at startup. Performance of FreeRADIUS, an open source RADIUS server, has been improved by approximately two times by avoiding superfluous queries. The developers also note that bandwidth violations tracked by the system are now based on RADIUS accounting information; support for tracking node bandwidth usage was added in version 3.0.

Other changes include the addition of new trigger types, the refactoring of code and tests, more aggressive exception-based configuration error handling and fixes for 18 bugs. The update also addresses a "high" priority vulnerability in the Web Admin printing system (printer.php) that could have been exploited by an attacker to conduct cross-site scripting (XSS) attacks.

Further information about the update, including a full list of changes, can be found in the official release announcement and in the change log. PacketFence 3.2.0 is available to download as source and as RPMs for versions 5 and 6 of Red Hat Enterprise Linux (RHEL) and CentOS. Licensed under the GPLv2, PacketFence is sponsored and developed by Inverse.

See also:

• Reflected XSS in printer.php, PacketFence advisory.

(crve)