pfSense

When submitting a form on interfaces_gif_edit.php and interfaces_gre_edit.php the page takes an optional value for the interface, either gifif or greif depending on the page. This is meant to contain the interface name of an existing interface, but the value is not validated before use. This value is passed to either interface_gif_configure() or interface_gre_configure() where it is used in shell commands.

Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for $_POST['gifif'] such as "; touch somefile; #".

The user must be logged in and have sufficient privileges to access either interfaces_gif_edit.php or interfaces_gre_edit.php.

Similar to #14052, the input should be validated and the interface should also be escaped when used in commands.