pfSense: pfSense-SA-24_01.webgui: Local File Inclusion Vulnerability in the pfSense WebGUI

A potential Local File Include (LFI) vulnerability was discovered in the DNS
Resolver Python Module Script include mechanism.

When the DNS Resolver Python Module function is enabled and a Python Module
Script is present, the system also looks for a PHP file to include for
additional related functions. The filename for this code starts with the same
name as the Python script and ends with "_include.inc".

Though the Python script is tested/validated by Unbound to ensure it is viable,
the PHP include is handled separately.

This problem is present on pfSense Plus version 23.09.1, pfSense CE version
2.7.2, and earlier versions of both.

A user with sufficient access to the DNS resolver and an ability to write
arbitrary files on the firewall could run arbitrary PHP code included during
Python script initialization/testing due to lack of path traversal protection
and validation of the Python script name.

To take advantage of this, the user must be logged in, must be able to write
files with a specific name on the firewall filesystem, and must have access to
the DNS Resolver settings.