Bug #9846: pfBlockerNG log file download/clear lacks validation - pfSense Packages - pfSense bugtracker

Bug #9846

Added by Jim Pingle 3 months ago. Updated 3 months ago.

Status:

Feedback

Priority:

Very High

Assignee:

Category:

pfBlockerNG

Target version:

Start date:

10/25/2019

Due date:

% Done:

Estimated time:

Affected Version:

Affected Architecture:

Description

The 'logfile' parameter in pfblockerng_log.php is not validated, and allows working on files outside of the expected location.

Due to this lack of validation, arbitrary files can be read or deleted.

Fix submitted by BBcan177 and committed.

Also available in: Atom PDF