From 5d5bfc654dfaad238c62540ba0819fef810e8f86 Mon Sep 17 00:00:00 2001 From: Daniel Cebrian Date: Mon, 22 Jan 2024 12:39:43 +0100 Subject: [PATCH] #12753 fixed os command injection --- pandora_console/include/ajax/events.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pandora_console/include/ajax/events.php b/pandora_console/include/ajax/events.php index 007ba77d89..851a22040b 100644 --- a/pandora_console/include/ajax/events.php +++ b/pandora_console/include/ajax/events.php @@ -1335,6 +1335,15 @@ if ($perform_event_response === true) { } $command = $event_response['target']; + + // Prevent OS command injection. + $prev_command = get_events_get_response_target($event_id, $event_response, $server_id); + + if ($command !== $prev_command) { + echo __('unauthorized'); + return; + } + $command_timeout = ($event_response !== false) ? $event_response['command_timeout'] : 90; if (enterprise_installed() === true) { if ($event_response !== false