Merge branch 'ent-11780-remote-code-execution-via-mibs-file-uploader' into 'develop'

Ent 11780 remote code execution via mibs file uploader See merge request artica/pandorafms!6357
2023-09-04 12:59:59 +00:00 · 2023-09-04 12:59:59 +00:00 · 025aa9f72a
parent 3307b95c54 32c2925515
commit 025aa9f72a
1 changed files with 33 additions and 3 deletions
--- a/pandora_console/include/functions_filemanager.php
+++ b/pandora_console/include/functions_filemanager.php
@ -125,9 +125,22 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_
        if (isset($_FILES['file']) === true && empty($_FILES['file']['name']) === false) {
            $filename       = $_FILES['file']['name'];
            $real_directory = filemanager_safe_directory($destination_directory);
-            $umask          = io_safe_output((string) get_parameter('umask'));
+            $extension = pathinfo($filename, PATHINFO_EXTENSION);

-            if (strpos($real_directory, $default_real_directory) !== 0) {
+            $umask          = io_safe_output((string) get_parameter('umask'));
+            $parse_all_queries = explode('&', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY));
+            $parse_sec2_query = explode('=', $parse_all_queries[1]);
+            $check_extension = true;
+            if ($parse_sec2_query[1] === 'operation/snmpconsole/snmp_mib_uploader') {
+                if ((strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip')) {
+                    $check_extension = false;
+                } else {
+                    $check_extension = true;
+                }
+            }
+
+            // (strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip')
+            if (strpos($real_directory, $default_real_directory) !== 0 || $check_extension === false) {
                // Perform security check to determine whether received upload
                // directory is part of the default path for caller uploader and
                // user is not trying to access an external path (avoid
@ -177,14 +190,31 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_

    // Upload zip.
    if ($upload_zip === true) {
+        $parse_all_queries = explode('&', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY));
+        $parse_sec2_query = explode('=', $parse_all_queries[1]);
        if (isset($_FILES['file']) === true
            && empty($_FILES['file']['name']) === false
        ) {
            $filename = $_FILES['file']['name'];
            $filepath = $_FILES['file']['tmp_name'];
            $real_directory = filemanager_safe_directory($destination_directory);
+            $secure = true;
+            if ($parse_sec2_query[1] === 'operation/snmpconsole/snmp_mib_uploader') {
+                // Security control structure.
+                $zip = new \ZipArchive;
+                if ($zip->open($filepath) === true) {
+                    for ($i = 0; $i < $zip->numFiles; $i++) {
+                        $unzip_filename = $zip->getNameIndex($i);
+                        $extension = pathinfo($unzip_filename, PATHINFO_EXTENSION);
+                        if (strtolower($extension) !== 'mib') {
+                            $secure = false;
+                            break;
+                        }
+                    }
+                }
+            }

-            if (strpos($real_directory, $default_real_directory) !== 0) {
+            if (strpos($real_directory, $default_real_directory) !== 0 || $secure === false) {
                // Perform security check to determine whether received upload
                // directory is part of the default path for caller uploader
                // and user is not trying to access an external path (avoid