A vulnerability was discovered in the pfSense WebGUI that could lead to
arbitrary file deletion.
Insufficient validation of the HTTP request origin and the "deletefile" HTTP
GET parameter in the "/system_firmware_restorefullbackup.php" script can lead
to arbitrary file deletion. A remote attacker can trick a log-in administrator
into visiting a malicious page with CSRF exploit and delete arbitrary files
on the target system with root privileges.
Due to the lack of validation on the affected actions and pages, a CSRF
attack could executed in the user's browser to trigger an unwanted action.
Loading the "/system_firmware_restorefullbackup.php" page with the "deletefile"
HTTP GET parameter defined deletes the specified file without CSRF protection,
sanitizing the path, or other verification. Passing a relative path in the
variable would allow deletion of an arbitrary file.