Netgate pfSense CE Directory Traversal Vulnerability in Diagnostics Command Privilege Allowing Arbitrary File Read

A local file disclosure vulnerability has been identified in Netgate pfSense CE version 2.8.0. The issue arises in the 'WebCfg - Diagnostics: Command' privilege, which allows authenticated users to read arbitrary files from the system via directory traversal in the 'dlPath' parameter of 'diag_command.php'. This vulnerability exists because the 'dlPath' parameter is not properly sanitized or restricted, enabling users to access files beyond their intended permissions.

Impact

Exploitation of this vulnerability allows any pfSense user with the 'WebCfg - Diagnostics: Command' privilege to read sensitive local system files, including backups, credentials, and keys. This access violates the principle of least privilege and disrupts logical privilege boundaries.

Reproduction

To reproduce this vulnerability, create a user group with low privileges and assign the 'WebCfg - Diagnostics: Command' permission. After logging in as this user, navigate to the diagnostics command page. Once authenticated, extract the CSRF token and use it to send a POST request to 'diag_command.php' with the 'submit' parameter set to 'DOWNLOAD' and the 'dlPath' parameter containing the path of the file to be accessed, such as '/etc/passwd'.

Remediation

Restrict the 'dlPath' parameter to a safe base directory, such as '/tmp', using 'realpath()' for path validation. Block or strip paths containing directory traversal sequences or absolute paths, and consider implementing a safelist for allowed files or using a temporary artifact directory.