Bug #5203
closed
Directory transversal in Configuration History
100%
Description
getcfg parameter doesn't filter chars with as .. or / this way an admin can retrieve other XML files from the system.
- https://localhost:9090/diag_confbak.php?getcfg=../../../../../../../../cf/conf/config
I don't think it's critical since the admin could still download the current config or any other files from other places or SSH, but still you may want to get it fixed.
Updated by Jim Pingle over 8 years ago
- Target version set to 2.2.5
- Affected Version set to All
- Subject changed from Directory transversal - Config backup to Directory transversal in Configuration History
- Category set to Web Interface
- Status changed from New to Feedback
- Assignee set to Jim Pingle
- Affected Architecture All added
- Affected Architecture deleted (
)
I pushed a fix for this just now. It doesn't appear to be a security problem since the code in question is limited to reading only filenames ending in .xml. The only .xml files with sensitive info on the box are the config.xml files and this page can already read them without any path alterations.
Thanks for the submission, though. In the future, please report any suspected security issues to security@pfsense.org so that we can handle them more appropriately.
Updated by Jim Pingle over 8 years ago
- % Done changed from 0 to 100
Applied in changeset 3b63506685babe9d7ea45212889a00700be4c917.
Updated by Jim Pingle over 8 years ago
Applied in changeset 635ee4eb05b2ca97b3b7e4a909f5d01d57563c3a.
Updated by