“Not a Security Issue” in PFSense Firewall(Netgate)
quality 7/10 · good
0 net
Tags
"Not a Security Issue" in PFSense Firewall(Netgate) | by dark-haxor - Freedium
Milestone: 20GB Reached
We’ve reached 20GB of stored data — thank you for helping us grow!
Patreon
Ko-fi
Liberapay
Close
< Go to the original
"Not a Security Issue" in PFSense Firewall(Netgate)
Source Code
dark-haxor
Follow
~2 min read
·
March 23, 2026 (Updated: March 23, 2026)
·
Free: Yes
pfsense/pfsense: Main repository for pfSense
Authenticated Stored XSS (Diagnostics Tables Comments)
Description
The page `diag_tables.php` allows administrators to view any `pf` tables (such as Alias lists). For URL Table aliases, the page reads local cache files (usually text files stored in `/var/db/aliastables/`) to display descriptive comments or rules that start with `#`.
Because data is output using the `print_info_box` Layout helper without passing through output encoder formatting loops like `htmlspecialchars()`, an attacker can include JavaScript code inside comments which will execute in the administrators dashboard.
— -
Vulnerability Mechanics
1. Reading File :
In `src/usr/local/www/diag_tables.php`, the script extracts lines beginning with `#` from the table backing file:
199: $res = exec('/usr/bin/grep -i -m 10 -E "^#" ' . $table_file, $comment_lines);
2. String Concat :
The result lines are concatenated directly without sanitization:
php
201: foreach ($comment_lines as $comment_line) {
202: $table_comments .= "$comment_line" . "
"; 203: } 3. Raw Render : The string is passed into `print_info_box`: php 207: '' The helper output is not structurally escaped, meaning full malicious Script payloads will render directly back to front-end layout nodes. — - Proof of Concept (Live Demonstration) 1. Preparation** : Create a table node with a malicious script asset comment: bash /sbin/pfctl -t evil_table -T add 1.1.1.1 echo '# ' > /var/db/aliastables/evil_table.txt 2. Access Page : Navigate directly to the layout trigger: http://[PFsense_IP]/diag_tables.php?type=evil_table 3. Trigger Execution : Click on " Show table comments ". The script executes immediately in the browser viewport. — - Impact Administrative Access Abuse : Execution in the authenticated Administration workspace can give leverage to session tokens replay or redirect administrative flow chains towards phishing endpoints. Poison Source vectors : An external site serving malicious Alias list loads can target multiple administrators reviewing table caches concurrent loads. — - Response from Netgate Security Team They responded with Issue was fixed but when asked for a security advisory (with lowest exploitability rate) they refused everything by saying its not a vulnerability. So if anyone in here is able to escalate this situation into further cases please feel free to not exploit the issue globally :3 Until next IR-Responsible disclosure! #pfsense #bug-bounty #net-gate #security #irresponsible-disclosure Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
"; 203: } 3. Raw Render : The string is passed into `print_info_box`: php 207: '' The helper output is not structurally escaped, meaning full malicious Script payloads will render directly back to front-end layout nodes. — - Proof of Concept (Live Demonstration) 1. Preparation** : Create a table node with a malicious script asset comment: bash /sbin/pfctl -t evil_table -T add 1.1.1.1 echo '# ' > /var/db/aliastables/evil_table.txt 2. Access Page : Navigate directly to the layout trigger: http://[PFsense_IP]/diag_tables.php?type=evil_table 3. Trigger Execution : Click on " Show table comments ". The script executes immediately in the browser viewport. — - Impact Administrative Access Abuse : Execution in the authenticated Administration workspace can give leverage to session tokens replay or redirect administrative flow chains towards phishing endpoints. Poison Source vectors : An external site serving malicious Alias list loads can target multiple administrators reviewing table caches concurrent loads. — - Response from Netgate Security Team They responded with Issue was fixed but when asked for a security advisory (with lowest exploitability rate) they refused everything by saying its not a vulnerability. So if anyone in here is able to escalate this situation into further cases please feel free to not exploit the issue globally :3 Until next IR-Responsible disclosure! #pfsense #bug-bounty #net-gate #security #irresponsible-disclosure Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).