Project

General

Profile

Actions
Copy link

Bug #9846

closed

pfBlockerNG log file download/clear lacks validation

Added by Jim Pingle over 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Jim Pingle
Category:
pfBlockerNG
Target version:
-
Start date:
10/25/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

The 'logfile' parameter in pfblockerng_log.php is not validated, and allows working on files outside of the expected location.

Due to this lack of validation, arbitrary files can be read or deleted.

Actions
Copy link
 #2

Updated by Jim Pingle over 4 years ago

  • Private changed from Yes to No
Actions
Copy link
 #3

Updated by Jordan G over 3 years ago

  • Status changed from Feedback to Resolved

pfBlockerNG-devel 2.2.5_37 on pfSense 2.4.5p1 only allows elements to be selected in the drop down and I did not appear to be able to change the entries via editing page source. Therefore only files listed could be downloaded/cleared which are contained to pfBlockerNG.

Actions
Copy link

Also available in: Atom PDF