A command-injection vulnerability exists in wizard.php via update_config_field() due to its passing user input through eval(), especially in its handling of interfaces_selection type fields. This allows an authenticated WebGUI user with privileges for wizard.php to execute commands in the context of the root user. A user on version 2.3.2_1 or earlier of the pfSense software, granted limited access to the pfSense software WebGUI including access to wizard.php, could leverage these vulnerabilities to gain increased privileges, read other files, execute commands, or perform other alterations. This is not relevant for admin-level users as there are other deliberate means by which an administrator could run commands.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center