AllowwebGUI to work in an IFrame - PFSense 2.1

  • FYI, for anyone else that want to use the webGUI in a IFrame.

    /usr/local/www/ 55
    Comment out
    Header("X-Frame-Options: SAMEORIGIN");

    /usr/local/www/csrf/csrf-magic.php:Line 116
    Change to false
    $GLOBALS['csrf']['frame-breaker'] = false;

    /usr/local/www/ 50
    Comment out

    /usr/local/www/ 58
    Comment out
    top.location = self.location;

    Standard disclaimer, don't do this if you aren't willing to sacrifice some security on your PFSense router!
    Great job to the PFSense team, just upgraded my 2.0.1 routers to 2.1 and went pretty easy with lots of fancy configurations options!

  • Thanks for this.

    On v 2.0.1 and 2.0.3 it was enough to just set to false $GLOBALS['csrf']['frame-breaker'].

    @devs: I think it would be better to have an option in the Misc advanced settings to disable these officially. Most people access the webgui from protected networks anyway, not through plain public internet.

  • Rebel Alliance Developer Netgate

    Unlike the other security checks which are optional, this one is a bit more likely to actually happen.

    It doesn't matter where you access it from, the problem is that some other random page could include the firewall in a frame and you may not realize it. It's a bit more subtle attack vector than the others.

    In a perfect world nobody would browse and manage firewalls from the same browser, or even workstation, but in reality it's not quite that straightforward.

  • You probably misunderstood me.

    I don't say to actually remove these security features! I only think it would be useful to have an option in the advanced settings, do disable them. They should be enabled by default, but if someone wants to disable them, it would be nince not to have to modify the php code. It's only the responsibility of the admin user anyway, if he/she wants to use it like this, not pfSense team.

  • Rebel Alliance Developer Netgate

    The danger of the alteration should be proportionate to the action you have to take to make it happen. :-)

    Set it up as a patch in the system patches package. Easy to apply it there.

  • Still works with 2.1.3, line numbers are shifted down by 1.

    I have used this several times since posting it to "fix" pfsense to work in a iframe. I really think this should be a checkbox, probably after "Browser HTTP_REFERER enforcement" on the System->Advanced page.

    My second thought would be a php config file for security features so after updating firmware "fixing" would be easy.

  • Some many release, need to automate this. Storing in thread so I don't forget.

    This should work with versions 2.1 - 2.2.4

    #! /bin/bash
    sed -i -e '/header("X-Frame-Options: SAMEORIGIN");/s/^/\/\//' /usr/local/www/
    sed -i -e "s/['frame-breaker'] = true/['frame-breaker'] = false/g" /usr/local/www/csrf/csrf-magic.php
    sed -i -e '/body{display:none}/s/^/\/\//' /usr/local/www/
    sed -i -e '/top.location = self.location;/s/^/\/\//' /usr/local/www/

  • Rebel Alliance Developer Netgate

    You're better off starting a new thread, a lot has changed since this thread (lighttpd switched out for nginx, for one).

    From a security standpoint, allowing it to run in an iframe is an awful idea, which is why we have protection against it.

Log in to reply