tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-13781-cve-2024-35307-console-realtime-graph-extension-is-vulnerable-to-argument-injection' into 'develop' 

cve-2024-35307

See merge request artica/pandorafms!7415
This commit is contained in:
Matias Didier 2024-05-23 16:16:03 +00:00
parent 2884868b98 7076426b28
commit 2f902fcb39
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
pandora_console/include/functions.php
View File

@ -2164,6 +2164,21 @@ function get_snmpwalk(
return []; return [];
} }
// Check if valid IP or DNS
if (filter_var($ip_target, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6) === false &&
preg_match('/^(?!-)[A-Za-z0-9-]{1,63}(?<!-)(\.(?!-)[A-Za-z0-9-]{1,63}(?<!-))*$/', $ip_target) !== 1
) {
return [];
}
// Check if valid OID or MIB and not starting with dash (-)
if ((preg_match('/^\.{0,1}(\d+(\.\d+)*){0,1}$/', $base_oid) !== 1 &&
preg_match('/^[A-Za-z0-9-:]+(\.[A-Za-z0-9-:]+)*(?<![-:])$/', $base_oid) !== 1) ||
preg_match('/^-/', $base_oid) === 1
) {
return [];
}
// Note: quick_print is ignored // Note: quick_print is ignored
// Fix for snmp port // Fix for snmp port
if (!empty($snmp_port)) { if (!empty($snmp_port)) {