PacketFence NAC update closes XSS holes
Version 3.0.2 – a maintenance and security update – of the PacketFence open source network access control (NAC) system has been released. According to the Inverse development team, the update addresses two vulnerabilities in the captive portal and administrative interface that could have been exploited by an attacker to conduct cross-site scripting (XSS) attacks. Versions prior to 3.0.2 are affected; all users are advised to update to the new version.
Other changes include the addition of support for Trapeze Wireless controllers, enhancements to wireless deauthentication in bridge mode for certain controllers, validation improvements and translation updates.
Further details about the update, including a full list of changes, can be found in the official release announcement and in the change log. PacketFence 3.0.2 is available to download as source, or RPMs for RHEL6 or CentOS 6 from the project's site; documentation is provided. Licensed under the GPLv2, PacketFence is sponsored and developed by Inverse inc..
- XSS in web administration interface, PacketFence advisory
- XSS in captive portal web interface, PacketFence advisory.
- PacketFence NAC 3.0 brings new features, hardware support, a report from The H.