Headline
CVE-2023-27253: Bug #13935: RRD restore process does not sanitize filenames from backup XML - pfSense
A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.
closed
RRD restore process does not sanitize filenames from backup XML
Category:
Backup / Restore
Plus Target Version:
23.01
Description
The code in source:src/etc/inc/config.lib.inc#L291 which restores RRD files from a config.xml backup does not escape the filenames supplied in config.xml XML tags. It should also be doing a basename() for good measure. The code which makes the backup has a similar incorrect method of quoting and though it is not possible for the user to control the parameters in that command, it’s still not ideal and should be corrected.
This is only to ensure the user can’t break it with accidental bad data they may have manually edited into those fields against advice.
This is not a security concern as anyone with access to restore a backup can already do anything and everything they want to the firewall.
Reported by: E-mail from Emir Polat [email protected]
History
Notes
Property changes
Associated revisions
Status changed from New to Feedback
% Done changed from 0 to 100
Description updated (diff)
Status changed from Feedback to Resolved
Backup and restore of RRD works as expected on current builds.
- Description updated (diff)
Also available in: Atom PDF