Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Full Disclosure local file inclusion "0 day" vulnerability

    Scheduled Pinned Locked Moved Messages from the pfSense Team
    1 Posts 1 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      cmb
      last edited by

      A post today on the Full Disclosure list disclosed a "0 day" local file inclusion vulnerability. We've already fixed it for 2.2.6 and in 2.3, but the person who discovered it didn't wait until the release as we requested to disclose it.

      As is often the case with these self-promotional messages, the likely impact is greatly exaggerated for nearly all real world use cases. A variety of people who aren't really looking at the issue see "LFI/RCE" and start spewing misleading things. Here is the reality of it.

      A user with limited administrative rights having privileges to write files to the filesystem, and access to pkg.php or wizard.php pages, can escalate their privileges to that of a full administrator. In the vast majority of circumstances, admin users with rights to write files have full admin-level privileges, which makes it non-applicable.

      2.2.6 release is coming soon for that and other reasons. If that circumstance actually applies to anyone, the most recent 2.2.6 snapshots should be nearly identical to release.
      64 bit
      32 bit

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.