From 241c90f2012f05b1efa546b5e4536e5c67827d6b Mon Sep 17 00:00:00 2001 From: alejandro-campos Date: Tue, 3 Nov 2020 15:58:53 +0100 Subject: [PATCH 1/2] fixed security vulnerability --- pandora_console/godmode/servers/plugin.php | 13 ++ .../godmode/setup/file_manager.php | 13 ++ .../include/functions_filemanager.php | 214 ++++++++---------- .../snmpconsole/snmp_mib_uploader.php | 13 ++ 4 files changed, 138 insertions(+), 115 deletions(-) diff --git a/pandora_console/godmode/servers/plugin.php b/pandora_console/godmode/servers/plugin.php index c32152e12d..9b98221a56 100644 --- a/pandora_console/godmode/servers/plugin.php +++ b/pandora_console/godmode/servers/plugin.php @@ -242,6 +242,19 @@ if ($filemanager) { $chunck_url = '&create=1'; } + $upload_file_or_zip = (bool) get_parameter('upload_file_or_zip'); + $create_text_file = (bool) get_parameter('create_text_file'); + + $default_real_directory = realpath($config['homedir'].'/'.$fallback_directory); + + if ($upload_file_or_zip) { + upload_file($upload_file_or_zip, $default_real_directory); + } + + if ($create_text_file) { + create_text_file($default_real_directory); + } + filemanager_file_explorer( $real_directory, $directory, diff --git a/pandora_console/godmode/setup/file_manager.php b/pandora_console/godmode/setup/file_manager.php index 6d5e7679b7..10b1ab740a 100644 --- a/pandora_console/godmode/setup/file_manager.php +++ b/pandora_console/godmode/setup/file_manager.php @@ -66,6 +66,19 @@ $real_directory = realpath($config['homedir'].'/'.$directory); echo '

'.__('Index of %s', $directory).'

'; +$upload_file_or_zip = (bool) get_parameter('upload_file_or_zip'); +$create_text_file = (bool) get_parameter('create_text_file'); + +$default_real_directory = realpath($config['homedir'].'/'.$fallback_directory); + +if ($upload_file_or_zip) { + upload_file($upload_file_or_zip, $default_real_directory); +} + +if ($create_text_file) { + create_text_file($default_real_directory); +} + filemanager_file_explorer( $real_directory, $directory, diff --git a/pandora_console/include/functions_filemanager.php b/pandora_console/include/functions_filemanager.php index cf587f8081..2ff77d74fa 100644 --- a/pandora_console/include/functions_filemanager.php +++ b/pandora_console/include/functions_filemanager.php @@ -123,26 +123,11 @@ if ($sec2 == 'enterprise/godmode/agentes/collections' || $sec2 == 'advanced/coll $homedir_filemanager .= '/attachment/collection/'; } -$upload_file_or_zip = (bool) get_parameter('upload_file_or_zip'); -if ($upload_file_or_zip) { - $decompress = get_parameter('decompress'); - if (!$decompress) { - $upload_file = true; - $upload_zip = false; - } else { - $upload_file = false; - $upload_zip = true; - } -} else { - $upload_file = (bool) get_parameter('upload_file'); - $upload_zip = (bool) get_parameter('upload_zip'); -} - -// Upload file -if ($upload_file) { - // Load global vars +function upload_file($upload_file_or_zip, $default_real_directory) +{ global $config; + global $homedir_filemanager; $config['filemanager'] = []; $config['filemanager']['correct_upload_file'] = 0; @@ -156,43 +141,102 @@ if ($upload_file) { return; } - if (isset($_FILES['file']) && $_FILES['file']['name'] != '') { - $filename = $_FILES['file']['name']; - $filesize = $_FILES['file']['size']; - $real_directory = io_safe_output((string) get_parameter('real_directory')); - $directory = io_safe_output((string) get_parameter('directory')); - $umask = io_safe_output((string) get_parameter('umask', '')); - - $hash = get_parameter('hash', ''); - $testHash = md5($real_directory.$directory.$config['dbpass']); - - if ($hash != $testHash) { - $config['filemanager']['message'] = ui_print_error_message(__('Security error'), '', true); + if ($upload_file_or_zip) { + $decompress = get_parameter('decompress'); + if (!$decompress) { + $upload_file = true; + $upload_zip = false; } else { - // Copy file to directory and change name - if ($directory == '') { - $nombre_archivo = $real_directory.'/'.$filename; - } else { - $nombre_archivo = $homedir_filemanager.'/'.$directory.'/'.$filename; - } + $upload_file = false; + $upload_zip = true; + } + } else { + $upload_file = (bool) get_parameter('upload_file'); + $upload_zip = (bool) get_parameter('upload_zip'); + } - if (! @copy($_FILES['file']['tmp_name'], $nombre_archivo)) { - $config['filemanager']['message'] = ui_print_error_message(__('Upload error'), '', true); + // Upload file + if ($upload_file) { + if (isset($_FILES['file']) && $_FILES['file']['name'] != '') { + $filename = $_FILES['file']['name']; + $filesize = $_FILES['file']['size']; + $real_directory = io_safe_output((string) get_parameter('real_directory')); + $directory = io_safe_output((string) get_parameter('directory')); + $umask = io_safe_output((string) get_parameter('umask', '')); + + if (strpos($real_directory, $default_real_directory) !== 0) { + // Perform security check to determine whether received upload directory is part of the default path for caller uploader and user is not trying to access an external path (avoid execution of PHP files in directories that are not explicitly controlled by corresponding .htaccess). + ui_print_error_message(__('Security error')); } else { - if ($umask !== '') { - chmod($nombre_archivo, $umask); + // Copy file to directory and change name + if ($directory == '') { + $nombre_archivo = $real_directory.'/'.$filename; + } else { + $nombre_archivo = $homedir_filemanager.'/'.$directory.'/'.$filename; } - $config['filemanager']['correct_upload_file'] = 1; - $config['filemanager']['message'] = ui_print_success_message(__('Upload correct'), '', true); + if (! @copy($_FILES['file']['tmp_name'], $nombre_archivo)) { + $config['filemanager']['message'] = ui_print_error_message(__('Upload error')); + } else { + if ($umask !== '') { + chmod($nombre_archivo, $umask); + } - // Delete temporal file - unlink($_FILES['file']['tmp_name']); + $config['filemanager']['correct_upload_file'] = 1; + ui_print_success_message(__('Upload correct')); + + // Delete temporal file + unlink($_FILES['file']['tmp_name']); + } + } + } + } + + // Upload zip + if ($upload_zip) { + if (isset($_FILES['file']) && $_FILES['file']['name'] != '') { + $filename = $_FILES['file']['name']; + $filesize = $_FILES['file']['size']; + $real_directory = (string) get_parameter('real_directory'); + $real_directory = io_safe_output($real_directory); + $directory = (string) get_parameter('directory'); + $directory = io_safe_output($directory); + + if (strpos($real_directory, $default_real_directory) !== 0) { + // Perform security check to determine whether received upload directory is part of the default path for caller uploader and user is not trying to access an external path (avoid execution of PHP files in directories that are not explicitly controlled by corresponding .htaccess). + ui_print_error_message(__('Security error')); + } else { + // Copy file to directory and change name + if ($directory == '') { + $nombre_archivo = $real_directory.'/'.$filename; + } else { + $nombre_archivo = $homedir_filemanager.'/'.$directory.'/'.$filename; + } + + if (! @copy($_FILES['file']['tmp_name'], $nombre_archivo)) { + ui_print_error_message(__('Attach error')); + } else { + // Delete temporal file + unlink($_FILES['file']['tmp_name']); + + // Extract the zip file + $zip = new ZipArchive; + $pathname = $homedir_filemanager.'/'.$directory.'/'; + + if ($zip->open($nombre_archivo) === true) { + $zip->extractTo($pathname); + unlink($nombre_archivo); + } + + ui_print_success_message(__('Upload correct')); + $config['filemanager']['correct_upload_file'] = 1; + } } } } } + if (isset($_SERVER['CONTENT_LENGTH'])) { // Control the max_post_size exceed if (intval($_SERVER['CONTENT_LENGTH']) > 0 && empty($_POST) and empty($_FILES)) { @@ -201,11 +245,11 @@ if (isset($_SERVER['CONTENT_LENGTH'])) { } } -// Create text file -$create_text_file = (bool) get_parameter('create_text_file'); -if ($create_text_file) { - // Load global vars + +function create_text_file($default_real_directory) +{ global $config; + global $homedir_filemanager; $config['filemanager'] = []; $config['filemanager']['correct_upload_file'] = 0; @@ -228,11 +272,9 @@ if ($create_text_file) { $directory = io_safe_output($directory); $umask = (string) get_parameter('umask', ''); - $hash = get_parameter('hash', ''); - $testHash = md5($real_directory.$directory.$config['dbpass']); - - if ($hash != $testHash) { - ui_print_error_message(__('Security error'), '', true); + if (strpos($real_directory, $default_real_directory) !== 0) { + // Perform security check to determine whether received upload directory is part of the default path for caller uploader and user is not trying to access an external path (avoid execution of PHP files in directories that are not explicitly controlled by corresponding .htaccess). + ui_print_error_message(__('Security error')); } else { if ($directory == '') { $nombre_archivo = $real_directory.'/'.$filename; @@ -241,80 +283,22 @@ if ($create_text_file) { } if (! @touch($nombre_archivo)) { - $config['filemanager']['message'] = ui_print_error_message(__('Error creating file'), '', true); + $config['filemanager']['message'] = ui_print_error_message(__('Error creating file')); } else { if ($umask !== '') { chmod($nombre_archivo, $umask); } - $config['filemanager']['message'] = ui_print_success_message(__('Upload correct'), '', true); + ui_print_success_message(__('Upload correct')); + $config['filemanager']['correct_upload_file'] = 1; } } } else { - $config['filemanager']['message'] = ui_print_error_message(__('Error creating file with empty name'), '', true); + ui_print_error_message(__('Error creating file with empty name')); } } -// Upload zip -if ($upload_zip) { - // Load global vars - global $config; - - $config['filemanager'] = []; - $config['filemanager']['correct_upload_file'] = 0; - $config['filemanager']['message'] = null; - - check_login(); - - if (! check_acl($config['id_user'], 0, 'AW')) { - db_pandora_audit('ACL Violation', 'Trying to access File manager'); - include 'general/noaccess.php'; - return; - } - - if (isset($_FILES['file']) && $_FILES['file']['name'] != '') { - $filename = $_FILES['file']['name']; - $filesize = $_FILES['file']['size']; - $real_directory = (string) get_parameter('real_directory'); - $real_directory = io_safe_output($real_directory); - $directory = (string) get_parameter('directory'); - $directory = io_safe_output($directory); - - $hash = get_parameter('hash', ''); - $testHash = md5($real_directory.$directory.$config['dbpass']); - - if ($hash != $testHash) { - $config['filemanager']['message'] = ui_print_error_message(__('Security error'), '', true); - } else { - // Copy file to directory and change name - if ($directory == '') { - $nombre_archivo = $real_directory.'/'.$filename; - } else { - $nombre_archivo = $homedir_filemanager.'/'.$directory.'/'.$filename; - } - - if (! @copy($_FILES['file']['tmp_name'], $nombre_archivo)) { - $config['filemanager']['message'] = ui_print_error_message(__('Attach error'), '', true); - } else { - // Delete temporal file - unlink($_FILES['file']['tmp_name']); - - // Extract the zip file - $zip = new ZipArchive; - $pathname = $homedir_filemanager.'/'.$directory.'/'; - - if ($zip->open($nombre_archivo) === true) { - $zip->extractTo($pathname); - unlink($nombre_archivo); - } - - $config['filemanager']['message'] = ui_print_success_message(__('Upload correct'), '', true); - $config['filemanager']['correct_upload_file'] = 1; - } - } - } -} // CREATE DIR $create_dir = (bool) get_parameter('create_dir'); diff --git a/pandora_console/operation/snmpconsole/snmp_mib_uploader.php b/pandora_console/operation/snmpconsole/snmp_mib_uploader.php index 1fbe2b1823..36ddb57072 100644 --- a/pandora_console/operation/snmpconsole/snmp_mib_uploader.php +++ b/pandora_console/operation/snmpconsole/snmp_mib_uploader.php @@ -69,6 +69,19 @@ $real_directory = realpath($config['homedir'].'/'.$directory); ui_print_info_message(__('MIB files will be installed on the system. Please note that a MIB may depend on other MIB. To customize trap definitions use the SNMP trap editor.')); +$upload_file_or_zip = (bool) get_parameter('upload_file_or_zip'); +$create_text_file = (bool) get_parameter('create_text_file'); + +$default_real_directory = realpath($config['homedir'].'/'.$fallback_directory); + +if ($upload_file_or_zip) { + upload_file($upload_file_or_zip, $default_real_directory); +} + +if ($create_text_file) { + create_text_file($default_real_directory); +} + filemanager_file_explorer( $real_directory, $directory, From 59e2930bec922c53e6fee0d13401b8fc8b840e68 Mon Sep 17 00:00:00 2001 From: alejandro-campos Date: Tue, 1 Dec 2020 13:15:48 +0100 Subject: [PATCH 2/2] fixed global declaration in meta --- .../include/functions_filemanager.php | 29 +++++++++++++------ 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/pandora_console/include/functions_filemanager.php b/pandora_console/include/functions_filemanager.php index 2ff77d74fa..c4a1fc4e5b 100644 --- a/pandora_console/include/functions_filemanager.php +++ b/pandora_console/include/functions_filemanager.php @@ -117,17 +117,16 @@ if (!function_exists('mime_content_type')) { global $config; -$homedir_filemanager = trim($config['homedir']); -$sec2 = get_parameter('sec2'); -if ($sec2 == 'enterprise/godmode/agentes/collections' || $sec2 == 'advanced/collections') { - $homedir_filemanager .= '/attachment/collection/'; -} - - function upload_file($upload_file_or_zip, $default_real_directory) { global $config; - global $homedir_filemanager; + + $homedir_filemanager = trim($config['homedir']); + $sec2 = get_parameter('sec2'); + + if ($sec2 == 'enterprise/godmode/agentes/collections' || $sec2 == 'advanced/collections') { + $homedir_filemanager .= '/attachment/collection/'; + } $config['filemanager'] = []; $config['filemanager']['correct_upload_file'] = 0; @@ -249,7 +248,13 @@ if (isset($_SERVER['CONTENT_LENGTH'])) { function create_text_file($default_real_directory) { global $config; - global $homedir_filemanager; + + $homedir_filemanager = trim($config['homedir']); + $sec2 = get_parameter('sec2'); + + if ($sec2 == 'enterprise/godmode/agentes/collections' || $sec2 == 'advanced/collections') { + $homedir_filemanager .= '/attachment/collection/'; + } $config['filemanager'] = []; $config['filemanager']['correct_upload_file'] = 0; @@ -300,6 +305,12 @@ function create_text_file($default_real_directory) } +$homedir_filemanager = trim($config['homedir']); +$sec2 = get_parameter('sec2'); +if ($sec2 == 'enterprise/godmode/agentes/collections' || $sec2 == 'advanced/collections') { + $homedir_filemanager .= '/attachment/collection/'; +} + // CREATE DIR $create_dir = (bool) get_parameter('create_dir'); if ($create_dir) {