Skip to content

Instantly share code, notes, and snippets.

Created October 2, 2022 10:46
What would you like to do?
XSS in pfsense v2.5.2

XSS vulnerability in pfsense v2.5.2

The path of the XSS vulnerability in file

In this file we get the list of dirs and files in specific directory through the function get_content.

Then we print the list of files as we can see in this simplified code.

// ----- read contents -----
if (is_dir($path)) {
    list($dirs, $files) = get_content($path);


// ----- files -----
foreach ($files as $file):

    $fqpn = "{$path}/{$file}";

    if (is_file($fqpn)) {
        $fqpn = realpath($fqpn);
        $size = sprintf("%.2f KiB", filesize($fqpn) / 1024);
    } else {
        $size = "";

        <td class="fbFile vexpl text-left" id="<?=$fqpn;?>">
            <?php $filename = htmlspecialchars(addslashes(str_replace("//","/", "{$path}/{$file}"))); ?>
            <div onClick="$('#fbTarget').val('<?=$filename?>'); loadFile(); $('#fbBrowser').fadeOut();">
                <img src="/vendor/filebrowser/images/file_<?=$type;?>.gif" alt="" title="">
        <td class="vexpl text-right">

There is no sanitizer with the variable $fqpn which contains the file name.

<td class="fbFile vexpl text-left" id="<?=$fqpn;?>">

The developer confirm the vulnerability with the current file name

''' touch '">{<}img src=src onerror=alert(3) foo=foo{>}' '''

The patch:

Copy link

enferas commented Oct 3, 2022

CVE-2022-42247 is assigned to this discovery

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment