A few low-impact vulnerabilities in WebUI
-
Hello again,
Just some more community-style QA observations on the PFSense 1.3a UI:
- SilverStripe Tree Control is exposed to an unauthenticated user (append /tree to your webui url).
- xmlrpc.php can be accessed directly, and additionally can be accessed prior to authentication as above.
- OSVDB-12184: GET //index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
All the best,
-Chris -
Hello,
Just to add to this topic, it is possible to see the graphs without authentication
http://x.x.x.x/graph.php?ifnum=le0&ifname=WAN&timeint=3
http://x.x.x.x/graph.php?ifnum=le0&ifname=LAN&timeint=3Or a XSS even without authenticating
http://x.x.x.x/graph.php?ifnum=[1.3-ALPHA-ALPHA
built on Wed Sep 17 00:29:17 EDT 2008
FreeBSD 7.0-RELEASE-p4 ]All the best
-
Confirmed on latest snapshot: [1.3-ALPHA-ALPHA
built on Thu Oct 2 06:42:33 EDT 2008
FreeBSD 7.0-RELEASE-p4 ] -
- SilverStripe Tree Control is exposed to an unauthenticated user (append /tree to your webui url).
Don't think there's anything we can do about this because of the way the auth works. That doesn't let you do anything, though it would be nice to not let anything through without auth.
- xmlrpc.php can be accessed directly, and additionally can be accessed prior to authentication as above.
I believe it has to be, the way it works. Can you provide a diff with suggested changes that works correctly?
- OSVDB-12184: GET //index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
Looking into this.
Just to add to this topic, it is possible to see the graphs without authentication
http://x.x.x.x/graph.php?ifnum=le0&ifname=WAN&timeint=3
http://x.x.x.x/graph.php?ifnum=le0&ifname=LAN&timeint=3Or a XSS even without authenticating
http://x.x.x.x/graph.php?ifnum=This is how it is in m0n0wall, so I'm guessing it's that way for a reason. Can you provide a diff with verified working changes that resolves this?
-
#1 Nothing we can do about
#2 xmlrpc.php has its own authentication built in
#3 Fixed
#4 Fixed