Bug #9512: Privilege bypass due to match style used by widget privileges - pfSense - pfSense bugtracker

Actions

Copy link

Bug #9512

closed

Privilege bypass due to match style used by widget privileges

Added by Jim Pingle over 5 years ago. Updated over 5 years ago.

Status:

Resolved

Priority:

Urgent

Assignee:

Jim Pingle

Category:

Web Interface

Target version:

2.4.4-p3

Start date:

05/09/2019

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

All

Description

The current dashboard and widget privileges specify a leading wildcard, for example:

$priv_list['page-dashboard-all']['match'][] = "*.widget.php*";

$priv_list['page-dashboard-widgets']['match'][] = "*.widget.php*";

Due to this loose matching, adding ?&.widget.php" to any URL will allow the user to bypass privileges set on the page when making a GET or POST request.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #9512

Privilege bypass due to match style used by widget privileges

Updated by Jim Pingle over 5 years ago

Updated by Jim Pingle over 5 years ago

Updated by Jim Pingle over 5 years ago

Updated by Jim Pingle over 5 years ago

Updated by Jim Pingle over 5 years ago

Updated by Chris Linstruth over 5 years ago

Updated by Jim Pingle over 5 years ago

Updated by Jim Pingle over 5 years ago