-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23_03.webgui Security Advisory pfSense Topic: Authenticated Arbitrary file create in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-02-15 Credits: yelang123 of stealien Affects: pfSense Plus software versions <= 22.05.1 pfSense CE software versions <= 2.6.0 Corrected: 2022-08-29 14:18:24 UTC (pfSense Plus master, 23.01) 2023-01-12 17:59:36 UTC (pfSense Plus 22.05) 2023-01-12 17:59:52 UTC (pfSense Plus 22.05.1) 2022-08-29 14:18:24 UTC (pfSense CE master, 2.7.0) 2023-01-12 17:55:38 UTC (pfSense CE 2.6.0) 0. Revision History v1.1 2023-06-19 Updated with CE 2.7.0 release information v1.0 2023-02-15 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential authenticated arbitrary file creation vulnerability was found when creating or editing URL table aliases, a component of the pfSense Plus and pfSense CE software GUI. When validating an alias on save, the name was checked for validity, however the name was still used during the validation by process_alias_urltable(). The function used the name submitted by the user for a filename which means it could have included invalid components such as "../", "|" and other characters to traverse paths and create arbitrary files. This problem is present on pfSense Plus version 22.05.1, pfSense CE version 2.6.0, and earlier versions of both. N.B.: pfSense Plus version 22.05.1 included a partial fix which introduced a PHP error in certain cases when working with URL table aliases. III. Impact Due to the lack of validation and sanitization, an authenticated user with sufficient access to work with URL table aliases could potentially have the ability to create files with arbitrary names on the firewall filesystem. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. V. Solution Users can upgrade to pfSense Plus software version 23.01 or later, or pfSense CE software version 2.7.0 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 22.05, pfSense Plus version 22.05.1, and pfSense CE version 2.6.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master db0cdbc8e77a47b45a6da4061e5d8e59e0fc592d c239afac1763951eacefc1dbc59ad04f9d319b91 plus/plus-RELENG_22_05 22f19c465e286ac2cc663407e86826dbbdec6e21 f30891422a3a3dcc0647b6ab29e8e66eb948be3b plus/plus-RELENG_22_05_01 7e2d8be204f7f5cc3573fee411d93c9d791bcdf3 pfSense/master db0cdbc8e77a47b45a6da4061e5d8e59e0fc592d c239afac1763951eacefc1dbc59ad04f9d319b91 pfSense/RELENG_2_6_0 6dc0750874b69373f8adbae9b0af223af13f5f4a 208134113d92d809d4f0e686f3817274854ff264 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmSQerwACgkQE7mH/ZIU +NrScA//f1MVnI/qii7Jyoi/9Eqbogcp9TMKru7/minjO3DcFbQNTCXdKrB0Ol35 YFFqm+Nvr1bgF4oLJKoUZvWdNiP0rSWe40saxQIqeTUIZBw++MsGMu8x8WQ0mr+k jJpbIf9EKX4rVycaB3ZJna5ZKb7JzfBdwWIuXGh182V9u98ASFX3kw7utYPZROTd 9/kglltYL7DASVMYneKywPb8dBVebECPXtAVjuS5oqdsSaKYKZEm2NBhyEvARG4b MXckgqFOpOle6Y51WgavgPPFbwpBUQXax17DhzYrnwuifTtNxKoC4ZpKivCYzL00 h4LFQEvgoczzS/bWedC0bUDq7BNGc08vXDpc6xkAHs2UDqhNpbDvlNBQoTeVCoga 5+Zd90PSr2RJcF/W3Ysw4ORmFXhSWPet9XX36anXUxbdPmRlgQXFOW247LCc7qJQ PuNuo71qlwwNHxGkBcfD0pQ0SpjuqA9Hwp+M64arAvpRD7xoK7oiatVZp+P2z0p1 WPxHiNaf3O3aUuY5psbKXrtZh7CIT/BCzayGcCGmsnmC8hNz8zbgtzFi95HgzXGq fghSA2Iz/ezUUDIRZQ03U16WIlKScbdvs9U8z88NT0Af2ihEq3fo6389ErS8nYg0 QI5ooWtZO8/4tUw1k3bXipkhsB+HJzwV/r0vk5soluQll5JLjiM= =aI9L -----END PGP SIGNATURE-----