pfSense: pfSense-SA-24_01.webgui: Local File Inclusion Vulnerability in the pfSense WebGUI
Description
A potential Local File Include (LFI) vulnerability was discovered in the DNS Resolver Python Module Script include mechanism. When the DNS Resolver Python Module function is enabled and a Python Module Script is present, the system also looks for a PHP file to include for additional related functions. The filename for this code starts with the same name as the Python script and ends with "_include.inc". Though the Python script is tested/validated by Unbound to ensure it is viable, the PHP include is handled separately. This problem is present on pfSense Plus version 23.09.1, pfSense CE version 2.7.2, and earlier versions of both. A user with sufficient access to the DNS resolver and an ability to write arbitrary files on the firewall could run arbitrary PHP code included during Python script initialization/testing due to lack of path traversal protection and validation of the Python script name. To take advantage of this, the user must be logged in, must be able to write files with a specific name on the firewall filesystem, and must have access to the DNS Resolver settings.
Solution(s)
- pfsense-upgrade-latest
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center