Actions
Bug #9846
closedpfBlockerNG log file download/clear lacks validation
Start date:
10/25/2019
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
Description
The 'logfile' parameter in pfblockerng_log.php is not validated, and allows working on files outside of the expected location.
Due to this lack of validation, arbitrary files can be read or deleted.
Updated by Jim Pingle over 4 years ago
- Status changed from New to Feedback
Updated by Jordan G over 3 years ago
- Status changed from Feedback to Resolved
pfBlockerNG-devel 2.2.5_37 on pfSense 2.4.5p1 only allows elements to be selected in the drop down and I did not appear to be able to change the entries via editing page source. Therefore only files listed could be downloaded/cleared which are contained to pfBlockerNG.
Actions