pfSense: pfSense-SA-23_10.webgui: Authenticated Command Execution in the WebGUI

A potential authenticated arbitrary command execution vulnerability was found in
interfaces_gif_edit.php and interfaces_gre_edit.php, components of the pfSense
Plus and pfSense CE software GUI.

When creating or editing a GIF interface on interfaces_gif_edit.php or a GRE
interface on interfaces_gre_edit.php, the submitted POST "gifif" or "greif"
value is not validated. Subsequently, the value is passed to another
function where the submitted value is used in shell commands.

This problem is present on pfSense Plus version 23.05.1, pfSense CE version
2.7.0, and earlier versions of both.

Due to a lack of escaping on commands in the functions being called, it is
possible to execute arbitrary commands with a properly formatted submission
value for "gifif" or "greif" in POST operations.

The user must be logged in and have sufficient privileges to access
either interfaces_gif_edit.php or interfaces_gre_edit.php.