Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    A few low-impact vulnerabilities in WebUI

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    5 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cwadge
      last edited by

      Hello again,

      Just some more community-style QA observations on the PFSense 1.3a UI:

      • SilverStripe Tree Control is exposed to an unauthenticated user (append /tree to your webui url).
      • xmlrpc.php can be accessed directly, and additionally can be accessed prior to authentication as above.
      • OSVDB-12184: GET //index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.

      All the best,
      -Chris

      1 Reply Last reply Reply Quote 0
      • S
        Subzer0
        last edited by

        Hello,

        Just to add to this topic, it is possible to see the graphs without authentication
        http://x.x.x.x/graph.php?ifnum=le0&ifname=WAN&timeint=3
        http://x.x.x.x/graph.php?ifnum=le0&ifname=LAN&timeint=3

        Or a XSS even without authenticating
        http://x.x.x.x/graph.php?ifnum=

        [1.3-ALPHA-ALPHA
        built on Wed Sep 17 00:29:17 EDT 2008
        FreeBSD 7.0-RELEASE-p4 ]

        All the best

        1 Reply Last reply Reply Quote 0
        • C
          cwadge
          last edited by

          Confirmed on latest snapshot: [1.3-ALPHA-ALPHA
          built on Thu Oct 2 06:42:33 EDT 2008
          FreeBSD 7.0-RELEASE-p4 ]

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            @cwadge:

            • SilverStripe Tree Control is exposed to an unauthenticated user (append /tree to your webui url).

            Don't think there's anything we can do about this because of the way the auth works. That doesn't let you do anything, though it would be nice to not let anything through without auth.

            @cwadge:

            • xmlrpc.php can be accessed directly, and additionally can be accessed prior to authentication as above.

            I believe it has to be, the way it works. Can you provide a diff with suggested changes that works correctly?

            @cwadge:

            • OSVDB-12184: GET //index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.

            Looking into this.

            @Subzer0:

            Just to add to this topic, it is possible to see the graphs without authentication
            http://x.x.x.x/graph.php?ifnum=le0&ifname=WAN&timeint=3
            http://x.x.x.x/graph.php?ifnum=le0&ifname=LAN&timeint=3

            Or a XSS even without authenticating
            http://x.x.x.x/graph.php?ifnum=

            This is how it is in m0n0wall, so I'm guessing it's that way for a reason. Can you provide a diff with verified working changes that resolves this?

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              #1 Nothing we can do about
              #2 xmlrpc.php has its own authentication built in
              #3 Fixed
              #4 Fixed

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.