Full title: pfSense 2.1.3-RELEASE (amd64) Remote Command Execution Exploit 
Category: remote exploits
Platform: php
pfSense, a free BSD based open source firewall distribution, versions 2.2.6 and below contain a remote command execution vulnerability post authentication in the _rrd_graph_img.php page. The vulnerability occurs via the graph GET parameter. A non-administrative authenticated attacker can inject arbitrary operating system commands and execute them as the root user. Verified against 2.1.3.

# 0day.today @ http://0day.today/