pfSense

The way that route data is collected for presentation in the GUI on diag_routes.php has multiple problems, including:

• The use of sed appears to be unnecessary, and using sed in this way without severely limiting the filtering character set is a security issue as sed commands can be used which can perform unintended actions such as overwriting files or changing the output of the command in other problematic ways
• The AJAX request uses POST but the code allows parameters to be sent via GET instead which is unnecessary and potentially problematic (see previous point).
• The AJAX request to fetch route data runs every 5 seconds, which seems too frequent since the route table rarely changes that fast, and the user can click the 'Update' button to trigger a manual refresh. 15 seconds seems more reasonable.
• The data returned by AJAX includes the headers of netstat output and draws the table dynamically. As a consequence these headers lack gettext() translations, and some of the values are not ideal (e.g. output has "Mtu" instead of "MTU")
• The table contains only some of the necessary attributes to be sortable, so sorting doesn't work as the specification is not complete.