Multiple Cross-Site Request Forgery protection bypass vulnerabilities were
discovered in the pfSense WebGUI during a security audit.
* DNS queries and alias creation are executed with a GET request that lacks
CSRF protection on diag_dns.php
* Configuration restore and deletion actions on diag_confbak.php are
executed with a GET request that lacks CSRF protection.
Due to the lack of CSRF validation on the affected actions and pages, a CSRF
attack could executed in the user's browser to trigger an unwanted action.
Loading the diag_dns.php page with the "host" parameter defined performs a
DNS request via GET request. This may cause unintended network activity, a
DNS host lookup of the supplied name.
When a site returns multiple hosts in a DNS result on diag_dns.php, a
feature is activated that allows the creation of a firewall alias from the
result. This alias is created by following a GET link that does not have any
CSRF protection. A CSRF attack could lead to the creation of this alias
When selecting a configuration to restore or delete from diag_confbak.php
the request was handled via GET and was not protected against CSRF. An
attacker could cause the user to follow a link which would restore an older
firewall configuration or delete an older configuration backup