CVE-2025-34173
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-10-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pfsense | pfsense | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the pfSense Snort package, specifically in the file snort_ip_reputation.php. The iplist parameter is not properly sanitized to remove directory traversal characters before checking if a file exists. Although an attacker cannot read file contents, they can determine whether arbitrary files exist on the server by exploiting this flaw. The attacker must be authenticated with at least 'WebCfg - Services: Snort package' permissions to exploit this. [1]
How can this vulnerability impact me? :
The vulnerability allows an authenticated attacker to enumerate files on the server by checking for their existence without proper input validation. This can lead to information disclosure about the server's file structure, which may aid further attacks or reconnaissance. However, the attacker cannot read the contents of the files. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the directory traversal in the iplist parameter of the Snort package's snort_ip_reputation.php page while authenticated with appropriate permissions. A test could involve sending crafted POST requests to /usr/local/www/snort/snort_ip_reputation.php with iplist values containing directory traversal strings (e.g., ../../etc/passwd) and observing if the server reveals whether such files exist. Specific commands could include using curl or similar tools to send such POST requests and checking the response for file existence indications. For example: curl -X POST -d "iplist=../../etc/passwd" https://<pfsense-ip>/snort/snort_ip_reputation.php --cookie "<auth-cookie>". Note that authentication with "WebCfg - Services: Snort package" permissions is required. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the pfSense Snort package to a version that contains the fix for this vulnerability. The fix is included in pfSense Plus versions 25.07.1 and 25.07, and Community Edition versions 2.8.1 and 2.8.0. The update restricts file existence checks to the designated IP reputation directory, preventing directory traversal attacks. Until the update is applied, restrict access to the Snort package web interface to trusted users only, ensuring that only authenticated users with the necessary permissions can access it. [1, 2]