Skip to content

Instantly share code, notes, and snippets.

@enferas
Created October 2, 2022 10:46
Embed
What would you like to do?
XSS in pfsense v2.5.2

XSS vulnerability in pfsense v2.5.2

The path of the XSS vulnerability in file https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/vendor/filebrowser/browser.php

In this file we get the list of dirs and files in specific directory through the function get_content.

Then we print the list of files as we can see in this simplified code.

// ----- read contents -----
if (is_dir($path)) {
    list($dirs, $files) = get_content($path);
?>

//...

// ----- files -----
foreach ($files as $file):
    //...

    $fqpn = "{$path}/{$file}";

    if (is_file($fqpn)) {
        $fqpn = realpath($fqpn);
        $size = sprintf("%.2f KiB", filesize($fqpn) / 1024);
    } else {
        $size = "";
    }

?>
    <tr>
        <td></td>
        <td class="fbFile vexpl text-left" id="<?=$fqpn;?>">
            <?php $filename = htmlspecialchars(addslashes(str_replace("//","/", "{$path}/{$file}"))); ?>
            <div onClick="$('#fbTarget').val('<?=$filename?>'); loadFile(); $('#fbBrowser').fadeOut();">
                <img src="/vendor/filebrowser/images/file_<?=$type;?>.gif" alt="" title="">
                &nbsp;<?=htmlspecialchars($file);?>
            </div>
        </td>
        <td class="vexpl text-right">
            <?=$size;?>
        </td>
    </tr>

There is no sanitizer with the variable $fqpn which contains the file name.

<td class="fbFile vexpl text-left" id="<?=$fqpn;?>">

The developer confirm the vulnerability with the current file name

''' touch '">{<}img src=src onerror=alert(3) foo=foo{>}' '''

The patch: https://github.com/pfsense/pfsense/commit/73ca6743954ac9f35ca293e3f2af63eac20cf32e

@enferas
Copy link
Author

enferas commented Oct 3, 2022

CVE-2022-42247 is assigned to this discovery

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment