A potential authenticated arbitrary file creation vulnerability was found when
creating or editing URL table aliases, a component of the pfSense Plus and
pfSense CE software GUI.
When validating an alias on save, the name was checked for validity, however the
name was still used during the validation by process_alias_urltable().
The function used the name submitted by the user for a filename which means it
could have included invalid components such as "../", "|" and other characters
to traverse paths and create arbitrary files.
This problem is present on pfSense Plus version 22.05.1, pfSense CE version
2.6.0, and earlier versions of both.
N.B.: pfSense Plus version 22.05.1 included a partial fix which introduced a
PHP error in certain cases when working with URL table aliases.
Due to the lack of validation and sanitization, an authenticated user with
sufficient access to work with URL table aliases could potentially have the
ability to create files with arbitrary names on the firewall filesystem.