Full Disclosure: Authenticated Command Execution Vulnerability in pfSense <= 2.3.1_1 (pfSense-SA-16_08.webgui)

November 17, 2017 | By:

On 05/19/2016 Scott White of TrustedSec discovered an authenticated command injection vulnerability in pfSense. It was responsibly disclosed to pfSense (security@pfsense.org) on 06/08/2016 and promptly fixed by the pfSense development team. TrustedSec wants to thank the pfSense team for the impressive response time and for providing a great open source project. Although the vulnerability was…


Ruby ERB Template Injection

September 13, 2017 | By:

Written by Scott White & Geoff Walton Templates are commonly used both client and server-side for many of today’s web applications.  Many template engines are available in several different programming languages.  Some examples are Smarty, Mako, Jinja2, Jade, Velocity, Freemaker, and Twig.  Template injection is a type of injection attack that can have some particularly…