Headline
CVE-2023-48123: Bug #14809: ``packet_capture.php`` uses ``count`` and ``length`` values in command execution without validation or encoding - pfSense
An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the packet_capture.php file.
closed
``packet_capture.php`` uses ``count`` and ``length`` values in command execution without validation or encoding
Plus Target Version:
23.09
Description
The packet_capture.php page uses the values of count and length when executing tcpdump and it doesn’t validate that these parameters are the intended type or encode them before use.
The form type is set to ‘number’ but that client-side validation does not prevent clients from submitting invalid data.
Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for $_POST[‘count’] or $_POST[‘length’].
History
Notes
Property changes
Associated revisions
Status changed from Confirmed to Feedback
% Done changed from 0 to 100
Status changed from Feedback to Resolved
Target version changed from 2.8.0 to 2.7.1
Category changed from Diagnostics to Packet Capture
Private changed from Yes to No
Also available in: Atom PDF