tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-27 15:54:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-11780-remote-code-execution-via-mibs-file-uploader' into 'develop'

Browse Source 
Ent 11780 remote code execution via mibs file uploader

See merge request artica/pandorafms!6357
This commit is contained in:
Rafael Ameijeiras 2023-09-04 12:59:59 +00:00
commit 025aa9f72a
1 changed files with 33 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
pandora_console/include/functions_filemanager.php
View File

@ -125,9 +125,22 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_
if (isset($_FILES['file']) === true && empty($_FILES['file']['name']) === false) { if (isset($_FILES['file']) === true && empty($_FILES['file']['name']) === false) {
$filename = $_FILES['file']['name']; $filename = $_FILES['file']['name'];
$real_directory = filemanager_safe_directory($destination_directory); $real_directory = filemanager_safe_directory($destination_directory);
$umask = io_safe_output((string) get_parameter('umask')); $extension = pathinfo($filename, PATHINFO_EXTENSION);
if (strpos($real_directory, $default_real_directory) !== 0) { $umask = io_safe_output((string) get_parameter('umask'));
$parse_all_queries = explode('&', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY));
$parse_sec2_query = explode('=', $parse_all_queries[1]);
$check_extension = true;
if ($parse_sec2_query[1] === 'operation/snmpconsole/snmp_mib_uploader') {
if ((strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip')) {
$check_extension = false;
} else {
$check_extension = true;
}
}
// (strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip')
if (strpos($real_directory, $default_real_directory) !== 0 || $check_extension === false) {
// Perform security check to determine whether received upload // Perform security check to determine whether received upload
// directory is part of the default path for caller uploader and // directory is part of the default path for caller uploader and
// user is not trying to access an external path (avoid // user is not trying to access an external path (avoid
@ -177,14 +190,31 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_
// Upload zip. // Upload zip.
if ($upload_zip === true) { if ($upload_zip === true) {
$parse_all_queries = explode('&', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY));
$parse_sec2_query = explode('=', $parse_all_queries[1]);
if (isset($_FILES['file']) === true if (isset($_FILES['file']) === true
&& empty($_FILES['file']['name']) === false && empty($_FILES['file']['name']) === false
) { ) {
$filename = $_FILES['file']['name']; $filename = $_FILES['file']['name'];
$filepath = $_FILES['file']['tmp_name']; $filepath = $_FILES['file']['tmp_name'];
$real_directory = filemanager_safe_directory($destination_directory); $real_directory = filemanager_safe_directory($destination_directory);
$secure = true;
if ($parse_sec2_query[1] === 'operation/snmpconsole/snmp_mib_uploader') {
// Security control structure.
$zip = new \ZipArchive;
if ($zip->open($filepath) === true) {
for ($i = 0; $i < $zip->numFiles; $i++) {
$unzip_filename = $zip->getNameIndex($i);
$extension = pathinfo($unzip_filename, PATHINFO_EXTENSION);
if (strtolower($extension) !== 'mib') {
$secure = false;
break;
}
}
}
}
if (strpos($real_directory, $default_real_directory) !== 0) { if (strpos($real_directory, $default_real_directory) !== 0 || $secure === false) {
// Perform security check to determine whether received upload // Perform security check to determine whether received upload
// directory is part of the default path for caller uploader // directory is part of the default path for caller uploader
// and user is not trying to access an external path (avoid // and user is not trying to access an external path (avoid