A command-injection vulnerability exists in status_services.php. This allows
authenticated WebGUI users with privileges for status_services.php to
execute commands in the context of the root user.
A logged-in user could also be deceived into loading a specially-crafted
URL, permitting a command supplied by a remote attacker to be executed.
A user granted limited access to the pfSense web GUI including access to
status_services.php via the "WebCfg - Firewall: Status: Services"
permission, could leverage this vulnerability to gain increased privileges,
read arbitrary files, execute commands, or perform other alterations.
Because the parameter in question is passed by GET, it can bypass other
protections and be triggered via a malicious iframe or other, similarly
styled attack. This attack vector is viable only if the administrator is
logged into the firewall while loading the malicious page in the same
browser and the remote attacker can guess, or otherwise obtain the local IP
address or hostname of the firewall.