Bug #7230: wizard.php - update_config_field() uses eval to set a value in a way that allows variable protections to be bypassed - pfSense - pfSense bugtracker

Actions

Copy link

Bug #7230

closed

wizard.php - update_config_field() uses eval to set a value in a way that allows variable protections to be bypassed

Added by Jim Pingle almost 8 years ago. Updated over 7 years ago.

Status:

Resolved

Priority:

Urgent

Assignee:

Jim Pingle

Category:

Web Interface

Target version:

2.3.3

Start date:

02/07/2017

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

All

Description

update_config_field() in wizard.php needs to use eval to construct a variable name that is several array levels deep. The problem lies in the way the value is set for this variable, it can be bypassed in various ways, including using passthru to escape addslashes.

It's easiest to test by using the OpenVPN wizard, get to the step with the interface selection and use firebug to alter the interface value to be"

wan";echo exec("id");"

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #7230

wizard.php - update_config_field() uses eval to set a value in a way that allows variable protections to be bypassed

Updated by Jim Pingle almost 8 years ago

Updated by Jim Pingle almost 8 years ago

Updated by Jim Pingle almost 8 years ago

Updated by Jim Pingle over 7 years ago

Updated by Jim Pingle over 7 years ago

Updated by Jim Pingle over 7 years ago