Thanks to physicszq, who discovered this vulnerability.
★ CVE-2024-46538 PfSense Stored XSS lead to Arbitrary Code Execution PoC ★
CVE-2024-46538 : PfSense Stored XSS Vulnerability
description: A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.
Download vulnerable version(v2.5.2):
/src/usr/local/www/interfaces_groups_edit.php
if (isset($_POST['members'])) {
$members = implode(" ", $_POST['members']);
} else {
$members = "";
}
...
// Create new group
} else {
$ifgroupentry['ifname'] = $_POST['ifname'];
$a_ifgroups[] = $ifgroupentry;
}
write_config("Interface Group added");
interface_group_setup($ifgroupentry);
header("Location: interfaces_groups.php");
exit;
} else {
$pconfig['descr'] = $_POST['descr'];
$pconfig['members'] = $members;
}
}
Lack of filtering in the $pconfig variable in interfaces_groups_edit.php leads to a cross-site scripting (XSS) vulnerability. The cross-site scripting (XSS) vulnerability allows attackers to leverage the diag_command.php endpoint to execute arbitrary commands against an administrator. For example, Following JavaScript Can lead to Arbitrary Code execution.
User (Has Privilege: WebCfg - Interfaces: Groups: Edit) --(Store Malicious JavaScript Code)--> Admin (Has Privilege to execute code) --(Read interfaces_groups.php)--> JavaScript Code Execute --> Code Execution
This repository is not intended to be XSS exploit to CVE-2024-46538. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications.
https://github.com/physicszq/web_issue/blob/main/pfsense/interfaces_groups_edit_file.md_xss.md