A potential authenticated arbitrary file creation vulnerability was found when creating or editing URL table aliases, a component of the pfSense Plus and pfSense CE software GUI. When validating an alias on save, the name was checked for validity, however the name was still used during the validation by process_alias_urltable(). The function used the name submitted by the user for a filename which means it could have included invalid components such as "../", "|" and other characters to traverse paths and create arbitrary files. This problem is present on pfSense Plus version 22.05.1, pfSense CE version 2.6.0, and earlier versions of both. N.B.: pfSense Plus version 22.05.1 included a partial fix which introduced a PHP error in certain cases when working with URL table aliases. Due to the lack of validation and sanitization, an authenticated user with sufficient access to work with URL table aliases could potentially have the ability to create files with arbitrary names on the firewall filesystem.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center