From 44467d1ce1132a2c4ebddfe143de3fdb0546361d Mon Sep 17 00:00:00 2001 From: miguel angel rasteu Date: Thu, 24 Aug 2023 12:19:15 +0200 Subject: [PATCH 1/3] #11780 Check mib upload security --- .../include/functions_filemanager.php | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/pandora_console/include/functions_filemanager.php b/pandora_console/include/functions_filemanager.php index 50ca449123..c65e23f441 100644 --- a/pandora_console/include/functions_filemanager.php +++ b/pandora_console/include/functions_filemanager.php @@ -125,9 +125,11 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_ if (isset($_FILES['file']) === true && empty($_FILES['file']['name']) === false) { $filename = $_FILES['file']['name']; $real_directory = filemanager_safe_directory($destination_directory); + $extension = pathinfo($filename, PATHINFO_EXTENSION); + $umask = io_safe_output((string) get_parameter('umask')); - if (strpos($real_directory, $default_real_directory) !== 0) { + if (strpos($real_directory, $default_real_directory) !== 0 || (strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip')) { // Perform security check to determine whether received upload // directory is part of the default path for caller uploader and // user is not trying to access an external path (avoid @@ -184,7 +186,21 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_ $filepath = $_FILES['file']['tmp_name']; $real_directory = filemanager_safe_directory($destination_directory); - if (strpos($real_directory, $default_real_directory) !== 0) { + // Security control structure. + $zip = new \ZipArchive; + $secure = true; + if ($zip->open($filepath) === true) { + for ($i = 0; $i < $zip->numFiles; $i++) { + $unzip_filename = $zip->getNameIndex($i); + $extension = pathinfo($unzip_filename, PATHINFO_EXTENSION); + if (strtolower($extension) !== 'mib') { + $secure = false; + break; + } + } + } + + if (strpos($real_directory, $default_real_directory) !== 0 || $secure === false) { // Perform security check to determine whether received upload // directory is part of the default path for caller uploader // and user is not trying to access an external path (avoid From e8613dc2f0e2fdd34022ef8d40974188e31b44c2 Mon Sep 17 00:00:00 2001 From: miguel angel rasteu Date: Mon, 28 Aug 2023 10:45:42 +0200 Subject: [PATCH 2/3] #11780 Fix mibs upload --- .../include/functions_filemanager.php | 34 +++++++++++++------ 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/pandora_console/include/functions_filemanager.php b/pandora_console/include/functions_filemanager.php index c65e23f441..a69a9f8894 100644 --- a/pandora_console/include/functions_filemanager.php +++ b/pandora_console/include/functions_filemanager.php @@ -128,8 +128,19 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_ $extension = pathinfo($filename, PATHINFO_EXTENSION); $umask = io_safe_output((string) get_parameter('umask')); + $parse_all_queries = explode('&', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY)); + $parse_sec2_query = explode('=', $parse_all_queries[1]); + $check_extension = true; + if ($parse_sec2_query[1] === 'operation/snmpconsole/snmp_mib_uploader') { + if ((strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip')) { + $check_extension = false; + } else { + $check_extension = true; + } + } - if (strpos($real_directory, $default_real_directory) !== 0 || (strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip')) { + // (strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip') + if (strpos($real_directory, $default_real_directory) !== 0 || $check_extension === false) { // Perform security check to determine whether received upload // directory is part of the default path for caller uploader and // user is not trying to access an external path (avoid @@ -185,17 +196,18 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_ $filename = $_FILES['file']['name']; $filepath = $_FILES['file']['tmp_name']; $real_directory = filemanager_safe_directory($destination_directory); - - // Security control structure. - $zip = new \ZipArchive; $secure = true; - if ($zip->open($filepath) === true) { - for ($i = 0; $i < $zip->numFiles; $i++) { - $unzip_filename = $zip->getNameIndex($i); - $extension = pathinfo($unzip_filename, PATHINFO_EXTENSION); - if (strtolower($extension) !== 'mib') { - $secure = false; - break; + if ($parse_sec2_query[1] === 'operation/snmpconsole/snmp_mib_uploader') { + // Security control structure. + $zip = new \ZipArchive; + if ($zip->open($filepath) === true) { + for ($i = 0; $i < $zip->numFiles; $i++) { + $unzip_filename = $zip->getNameIndex($i); + $extension = pathinfo($unzip_filename, PATHINFO_EXTENSION); + if (strtolower($extension) !== 'mib') { + $secure = false; + break; + } } } } From 32c292551584dfdbe53e68bf884d310171b70f31 Mon Sep 17 00:00:00 2001 From: miguel angel rasteu Date: Tue, 29 Aug 2023 08:23:06 +0200 Subject: [PATCH 3/3] #11780 Fix functions_filemanager --- pandora_console/include/functions_filemanager.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pandora_console/include/functions_filemanager.php b/pandora_console/include/functions_filemanager.php index a69a9f8894..aee3d88730 100644 --- a/pandora_console/include/functions_filemanager.php +++ b/pandora_console/include/functions_filemanager.php @@ -190,6 +190,8 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_ // Upload zip. if ($upload_zip === true) { + $parse_all_queries = explode('&', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY)); + $parse_sec2_query = explode('=', $parse_all_queries[1]); if (isset($_FILES['file']) === true && empty($_FILES['file']['name']) === false ) {