Vigil@nce - pfSense: directory traversal of pkg.php and wizard.php
January 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can traverse directories in pkg.php or wizard.php of
pfSense, in order to read a file outside the service root path.
– Impacted products: pfSense.
– Severity: 1/4.
– Creation date: 21/12/2015.
DESCRIPTION OF THE VULNERABILITY
The pfSense product offers a web service, with the /pkg.php and
/wizard.php pages.
However, user’s data in the "xml=" parameter are directly inserted
in an access path. Sequences such as "/.." can thus be used to go
in the upper directory.
An attacker can therefore traverse directories in pkg.php or
wizard.php of pfSense, in order to read a file outside the service
root path.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/pfSense-directory-traversal-of-pkg-php-and-wizard-php-18566