Merge branch 'ent-7663-vulnerabilidad-hash-file-manager' into 'develop'

Change token for hash generation Closes pandora_enterprise#7663 See merge request artica/pandorafms!4182
2021-06-21 14:05:10 +00:00 · 2021-06-21 14:05:10 +00:00 · 493cce4e6f
parent 043b512cc4 9f120280a2
commit 493cce4e6f
2 changed files with 13 additions and 13 deletions
--- a/pandora_console/include/functions_filemanager.php
+++ b/pandora_console/include/functions_filemanager.php
@ -330,7 +330,7 @@ if ($create_dir === true) {
    $directory = filemanager_safe_directory((string) get_parameter('directory', '/'));
    $hash      = (string) get_parameter('hash');
-    $testHash  = md5($directory.$config['dbpass']);
+    $testHash  = md5($directory.$config['server_unique_identifier']);
    if ($hash !== $testHash) {
         ui_print_error_message(__('Security error.'));
@ -363,7 +363,7 @@ if ($delete_file === true) {
    $filename = (string) get_parameter('filename');
    $filename = io_safe_output($filename);
    $hash     = get_parameter('hash', '');
-    $testHash = md5($filename.$config['dbpass']);
+    $testHash = md5($filename.$config['server_unique_identifier']);
    if ($hash !== $testHash) {
        $config['filemanager']['message'] = ui_print_error_message(__('Security error'), '', true);
@ -645,7 +645,7 @@ function filemanager_file_explorer(
        if (($prev_dir_str != '') && ($father != $relative_directory)) {
            $table->data[0][0] = html_print_image('images/go_previous.png', true, ['class' => 'invert_filter']);
-            $table->data[0][1] = '<a href="'.$url.'&directory='.$prev_dir_str.'&hash2='.md5($prev_dir_str.$config['dbpass']).'">';
+            $table->data[0][1] = '<a href="'.$url.'&directory='.$prev_dir_str.'&hash2='.md5($prev_dir_str.$config['server_unique_identifier']).'">';
            $table->data[0][1] .= __('Parent directory');
            $table->data[0][1] .= '</a>';
@ -696,7 +696,7 @@ function filemanager_file_explorer(
            }
            if ($fileinfo['is_dir']) {
-                $data[1] = '<a href="'.$url.'&directory='.$relative_directory.'/'.$fileinfo['name'].'&hash2='.md5($relative_directory.'/'.$fileinfo['name'].$config['dbpass']).'">'.$fileinfo['name'].'</a>';
+                $data[1] = '<a href="'.$url.'&directory='.$relative_directory.'/'.$fileinfo['name'].'&hash2='.md5($relative_directory.'/'.$fileinfo['name'].$config['server_unique_identifier']).'">'.$fileinfo['name'].'</a>';
            } else if (!empty($url_file)) {
                // Set the custom url file
                $url_file_clean = str_replace('[FILE_FULLPATH]', $fileinfo['realpath'], $url_file);
@ -704,7 +704,7 @@ function filemanager_file_explorer(
                $data[1] = '<a href="'.$url_file_clean.'">'.$fileinfo['name'].'</a>';
            } else {
                $filename = base64_encode($relative_directory.'/'.$fileinfo['name']);
-                $hash = md5($filename.$config['dbpass']);
+                $hash = md5($filename.$config['server_unique_identifier']);
                $data[1] = '<a href="'.$hack_metaconsole.'include/get_file.php?file='.urlencode($filename).'&hash='.$hash.'">'.$fileinfo['name'].'</a>';
            }
@ -739,7 +739,7 @@ function filemanager_file_explorer(
                $data[4] .= '<form method="post" action="'.$url.'" style="">';
                $data[4] .= '<input type="image" class="invert_filter" src="images/cross.png" onClick="if (!confirm(\' '.__('Are you sure?').'\')) return false;">';
                $data[4] .= html_print_input_hidden('filename', $fileinfo['realpath'], true);
-                $data[4] .= html_print_input_hidden('hash', md5($fileinfo['realpath'].$config['dbpass']), true);
+                $data[4] .= html_print_input_hidden('hash', md5($fileinfo['realpath'].$config['server_unique_identifier']), true);
                $data[4] .= html_print_input_hidden('delete_file', 1, true);
                $relative_dir = str_replace($homedir_filemanager, '', str_replace('\\', '/', dirname($fileinfo['realpath'])));
@ -748,7 +748,7 @@ function filemanager_file_explorer(
                    $relative_dir = substr($relative_dir, 1);
                }
-                $hash2 = md5($relative_dir.$config['dbpass']);
+                $hash2 = md5($relative_dir.$config['server_unique_identifier']);
                $data[4] .= html_print_input_hidden('directory', $relative_dir, true);
                $data[4] .= html_print_input_hidden('hash2', $hash2, true);
@ -758,7 +758,7 @@ function filemanager_file_explorer(
                    if (($typefile != 'bin') && ($typefile != 'pdf') && ($typefile != 'png') && ($typefile != 'jpg')
                        && ($typefile != 'iso') && ($typefile != 'docx') && ($typefile != 'doc') && ($fileinfo['mime'] != MIME_DIR)
                    ) {
-                        $hash = md5($fileinfo['realpath'].$config['dbpass']);
+                        $hash = md5($fileinfo['realpath'].$config['server_unique_identifier']);
                        $data[4] .= "<a style='vertical-align: top;' href='$url&edit_file=1&hash=".$hash.'&location_file='.$fileinfo['realpath']."' style='float: left;'>".html_print_image('images/edit.png', true, ['style' => 'margin-top: 2px;', 'title' => __('Edit file'), 'class' => 'invert_filter']).'</a>';
                    }
                }
@ -766,7 +766,7 @@ function filemanager_file_explorer(
            if ((!$fileinfo['is_dir']) && ($download_button)) {
                $filename = base64_encode($fileinfo['name']);
-                $hash = md5($filename.$config['dbpass']);
+                $hash = md5($filename.$config['server_unique_identifier']);
                $data[4] .= '<a href="include/get_file.php?file='.urlencode($filename).'&hash='.$hash.'" style="vertical-align: 25%;">';
                $data[4] .= html_print_image('images/file.png', true, ['class' => 'invert_filter']);
                $data[4] .= '</a>';
@ -824,13 +824,13 @@ function filemanager_file_explorer(
            </li></ul>';
            echo '<div id="create_folder" class="invisible">'.$tabs_dialog.'
-            <form method="post" action="'.$url.'">'.html_print_input_text('dirname', '', '', 30, 255, true).html_print_submit_button(__('Create'), 'crt', false, 'class="sub next"', true).html_print_input_hidden('directory', $relative_directory, true).html_print_input_hidden('create_dir', 1, true).html_print_input_hidden('hash', md5($relative_directory.$config['dbpass']), true).html_print_input_hidden('hash2', md5($relative_directory.$config['dbpass']), true).'</form></div>';
+            <form method="post" action="'.$url.'">'.html_print_input_text('dirname', '', '', 30, 255, true).html_print_submit_button(__('Create'), 'crt', false, 'class="sub next"', true).html_print_input_hidden('directory', $relative_directory, true).html_print_input_hidden('create_dir', 1, true).html_print_input_hidden('hash', md5($relative_directory.$config['server_unique_identifier']), true).html_print_input_hidden('hash2', md5($relative_directory.$config['server_unique_identifier']), true).'</form></div>';
            echo '<div id="upload_file" class="invisible"> '.$tabs_dialog.'
-            <form method="post" action="'.$url.'" enctype="multipart/form-data">'.ui_print_help_tip(__('The zip upload in this dir, easy to upload multiple files.'), true).html_print_input_file('file', true, false).html_print_input_hidden('umask', $umask, true).html_print_checkbox('decompress', 1, false, true).__('Decompress').html_print_submit_button(__('Go'), 'go', false, 'class="sub next"', true).html_print_input_hidden('real_directory', $real_directory, true).html_print_input_hidden('directory', $relative_directory, true).html_print_input_hidden('hash', md5($real_directory.$relative_directory.$config['dbpass']), true).html_print_input_hidden('hash2', md5($relative_directory.$config['dbpass']), true).html_print_input_hidden('upload_file_or_zip', 1, true).'</form></div>';
+            <form method="post" action="'.$url.'" enctype="multipart/form-data">'.ui_print_help_tip(__('The zip upload in this dir, easy to upload multiple files.'), true).html_print_input_file('file', true, false).html_print_input_hidden('umask', $umask, true).html_print_checkbox('decompress', 1, false, true).__('Decompress').html_print_submit_button(__('Go'), 'go', false, 'class="sub next"', true).html_print_input_hidden('real_directory', $real_directory, true).html_print_input_hidden('directory', $relative_directory, true).html_print_input_hidden('hash', md5($real_directory.$relative_directory.$config['server_unique_identifier']), true).html_print_input_hidden('hash2', md5($relative_directory.$config['server_unique_identifier']), true).html_print_input_hidden('upload_file_or_zip', 1, true).'</form></div>';
            echo ' <div id="create_text_file" class="invisible">'.$tabs_dialog.'
-            <form method="post" action="'.$url.'">'.html_print_input_text('name_file', '', '', 30, 50, true).html_print_submit_button(__('Create'), 'create', false, 'class="sub next"', true).html_print_input_hidden('real_directory', $real_directory, true).html_print_input_hidden('directory', $relative_directory, true).html_print_input_hidden('hash', md5($real_directory.$relative_directory.$config['dbpass']), true).html_print_input_hidden('umask', $umask, true).html_print_input_hidden('create_text_file', 1, true).'</form></div>';
+            <form method="post" action="'.$url.'">'.html_print_input_text('name_file', '', '', 30, 50, true).html_print_submit_button(__('Create'), 'create', false, 'class="sub next"', true).html_print_input_hidden('real_directory', $real_directory, true).html_print_input_hidden('directory', $relative_directory, true).html_print_input_hidden('hash', md5($real_directory.$relative_directory.$config['server_unique_identifier']), true).html_print_input_hidden('umask', $umask, true).html_print_input_hidden('create_text_file', 1, true).'</form></div>';
            echo "<div style='width: ".$table->width.";' class='file_table_buttons'>";
--- a/pandora_console/include/get_file.php
+++ b/pandora_console/include/get_file.php
@ -35,7 +35,7 @@ $file = base64_decode(urldecode($file_raw));
 $hash = get_parameter('hash', null);
-if ($file === '' || $hash === '' || $hash !== md5($file_raw.$config['dbpass']) || !isset($_SERVER['HTTP_REFERER'])) {
+if ($file === '' || $hash === '' || $hash !== md5($file_raw.$config['server_unique_identifier']) || !isset($_SERVER['HTTP_REFERER'])) {
    echo "<h3 style='".$styleError."'>".__('Security error. Please contact the administrator.').'</h3>';
 } else {
    $downloadable_file = '';