Netgate SG-1000 microFirewall

Author Topic: Full Disclosure local file inclusion "0 day" vulnerability  (Read 2067 times)

0 Members and 1 Guest are viewing this topic.

Offline cmb

  • Hero Member
  • *****
  • Posts: 11228
  • Karma: +896/-7
    • View Profile
    • Chris Buechler
Full Disclosure local file inclusion "0 day" vulnerability
« on: December 18, 2015, 08:48:36 pm »
A post today on the Full Disclosure list disclosed a "0 day" local file inclusion vulnerability. We've already fixed it for 2.2.6 and in 2.3, but the person who discovered it didn't wait until the release as we requested to disclose it.

As is often the case with these self-promotional messages, the likely impact is greatly exaggerated for nearly all real world use cases. A variety of people who aren't really looking at the issue see "LFI/RCE" and start spewing misleading things. Here is the reality of it.

A user with limited administrative rights having privileges to write files to the filesystem, and access to pkg.php or wizard.php pages, can escalate their privileges to that of a full administrator. In the vast majority of circumstances, admin users with rights to write files have full admin-level privileges, which makes it non-applicable.

2.2.6 release is coming soon for that and other reasons. If that circumstance actually applies to anyone, the most recent 2.2.6 snapshots should be nearly identical to release.
64 bit
32 bit