Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-23_03.webgui: Authenticated Arbitrary file create in the WebGUI

Free InsightVM Trial No Credit Card Necessary
Watch Demo See how it all works
Back to Search

pfSense: pfSense-SA-23_03.webgui: Authenticated Arbitrary file create in the WebGUI

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
02/15/2023
Created
02/17/2023
Added
02/16/2023
Modified
02/17/2023

Description

A potential authenticated arbitrary file creation vulnerability was found when creating or editing URL table aliases, a component of the pfSense Plus and pfSense CE software GUI. When validating an alias on save, the name was checked for validity, however the name was still used during the validation by process_alias_urltable(). The function used the name submitted by the user for a filename which means it could have included invalid components such as "../", "|" and other characters to traverse paths and create arbitrary files. This problem is present on pfSense Plus version 22.05.1, pfSense CE version 2.6.0, and earlier versions of both. N.B.: pfSense Plus version 22.05.1 included a partial fix which introduced a PHP error in certain cases when working with URL table aliases. Due to the lack of validation and sanitization, an authenticated user with sufficient access to work with URL table aliases could potentially have the ability to create files with arbitrary names on the firewall filesystem.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;