Bug #9846: pfBlockerNG log file download/clear lacks validation - pfSense Packages - pfSense bugtracker

Bug #9846

pfBlockerNG log file download/clear lacks validation

Added by Jim Pingle about 1 year ago. Updated 2 months ago.

Status:

Resolved

Priority:

Very High

Assignee:

Jim Pingle

Category:

pfBlockerNG

Target version:

Start date:

10/25/2019

Due date:

% Done:

Estimated time:

Affected Version:

Affected Architecture:

Description

The 'logfile' parameter in pfblockerng_log.php is not validated, and allows working on files outside of the expected location.

Due to this lack of validation, arbitrary files can be read or deleted.

History

#1 Updated by Jim Pingle about 1 year ago

Status changed from New to Feedback

Fix submitted by BBcan177 and committed.

https://github.com/pfsense/FreeBSD-ports/commit/38be8c32b1638b230310c0a547532b74609a31bc
https://github.com/pfsense/FreeBSD-ports/commit/b7281ffc1a98d7724d97385c99bd802b526ee0c2

#2 Updated by Jim Pingle about 1 year ago

Private changed from Yes to No

#3 Updated by Jordan Greene 2 months ago

Status changed from Feedback to Resolved

pfBlockerNG-devel 2.2.5_37 on pfSense 2.4.5p1 only allows elements to be selected in the drop down and I did not appear to be able to change the entries via editing page source. Therefore only files listed could be downloaded/cleared which are contained to pfBlockerNG.

Also available in: Atom PDF

Project

General

Profile

pfSense » pfSense Packages

Issues