tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-28 08:14:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-6619-Remote-code-execution' into 'develop'

Browse Source 
fixed security vulnerability

See merge request artica/pandorafms!3591
This commit is contained in:
Daniel Rodriguez 2020-12-02 17:16:05 +01:00
commit 98c5ef7142
4 changed files with 154 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
pandora_console/godmode/servers/plugin.php
View File

@ -242,6 +242,19 @@ if ($filemanager) {
$chunck_url = '&create=1'; $chunck_url = '&create=1';
} }
$upload_file_or_zip = (bool) get_parameter('upload_file_or_zip');
$create_text_file = (bool) get_parameter('create_text_file');
$default_real_directory = realpath($config['homedir'].'/'.$fallback_directory);
if ($upload_file_or_zip) {
upload_file($upload_file_or_zip, $default_real_directory);
}
if ($create_text_file) {
create_text_file($default_real_directory);
}
filemanager_file_explorer( filemanager_file_explorer(
$real_directory, $real_directory,
$directory, $directory,

13
pandora_console/godmode/setup/file_manager.php
View File

@ -66,6 +66,19 @@ $real_directory = realpath($config['homedir'].'/'.$directory);
echo '<h4>'.__('Index of %s', $directory).'</h4>'; echo '<h4>'.__('Index of %s', $directory).'</h4>';
$upload_file_or_zip = (bool) get_parameter('upload_file_or_zip');
$create_text_file = (bool) get_parameter('create_text_file');
$default_real_directory = realpath($config['homedir'].'/'.$fallback_directory);
if ($upload_file_or_zip) {
upload_file($upload_file_or_zip, $default_real_directory);
}
if ($create_text_file) {
create_text_file($default_real_directory);
}
filemanager_file_explorer( filemanager_file_explorer(
$real_directory, $real_directory,
$directory, $directory,

179
pandora_console/include/functions_filemanager.php
View File

@ -117,13 +117,28 @@ if (!function_exists('mime_content_type')) {
global $config; global $config;
function upload_file($upload_file_or_zip, $default_real_directory)
{
global $config;
$homedir_filemanager = trim($config['homedir']); $homedir_filemanager = trim($config['homedir']);
$sec2 = get_parameter('sec2'); $sec2 = get_parameter('sec2');
if ($sec2 == 'enterprise/godmode/agentes/collections' || $sec2 == 'advanced/collections') { if ($sec2 == 'enterprise/godmode/agentes/collections' || $sec2 == 'advanced/collections') {
$homedir_filemanager .= '/attachment/collection/'; $homedir_filemanager .= '/attachment/collection/';
} }
$upload_file_or_zip = (bool) get_parameter('upload_file_or_zip'); $config['filemanager'] = [];
$config['filemanager']['correct_upload_file'] = 0;
$config['filemanager']['message'] = null;
check_login();
if (! check_acl($config['id_user'], 0, 'AW')) {
db_pandora_audit('ACL Violation', 'Trying to access File manager');
include 'general/noaccess.php';
return;
}
if ($upload_file_or_zip) { if ($upload_file_or_zip) {
$decompress = get_parameter('decompress'); $decompress = get_parameter('decompress');
@ -141,21 +156,6 @@ if ($upload_file_or_zip) {
// Upload file // Upload file
if ($upload_file) { if ($upload_file) {
// Load global vars
global $config;
$config['filemanager'] = [];
$config['filemanager']['correct_upload_file'] = 0;
$config['filemanager']['message'] = null;
check_login();
if (! check_acl($config['id_user'], 0, 'AW')) {
db_pandora_audit('ACL Violation', 'Trying to access File manager');
include 'general/noaccess.php';
return;
}
if (isset($_FILES['file']) && $_FILES['file']['name'] != '') { if (isset($_FILES['file']) && $_FILES['file']['name'] != '') {
$filename = $_FILES['file']['name']; $filename = $_FILES['file']['name'];
$filesize = $_FILES['file']['size']; $filesize = $_FILES['file']['size'];
@ -163,11 +163,9 @@ if ($upload_file) {
$directory = io_safe_output((string) get_parameter('directory')); $directory = io_safe_output((string) get_parameter('directory'));
$umask = io_safe_output((string) get_parameter('umask', '')); $umask = io_safe_output((string) get_parameter('umask', ''));
$hash = get_parameter('hash', ''); if (strpos($real_directory, $default_real_directory) !== 0) {
$testHash = md5($real_directory.$directory.$config['dbpass']); // Perform security check to determine whether received upload directory is part of the default path for caller uploader and user is not trying to access an external path (avoid execution of PHP files in directories that are not explicitly controlled by corresponding .htaccess).
ui_print_error_message(__('Security error'));
if ($hash != $testHash) {
$config['filemanager']['message'] = ui_print_error_message(__('Security error'), '', true);
} else { } else {
// Copy file to directory and change name // Copy file to directory and change name
if ($directory == '') { if ($directory == '') {
@ -177,14 +175,14 @@ if ($upload_file) {
} }
if (! @copy($_FILES['file']['tmp_name'], $nombre_archivo)) { if (! @copy($_FILES['file']['tmp_name'], $nombre_archivo)) {
$config['filemanager']['message'] = ui_print_error_message(__('Upload error'), '', true); $config['filemanager']['message'] = ui_print_error_message(__('Upload error'));
} else { } else {
if ($umask !== '') { if ($umask !== '') {
chmod($nombre_archivo, $umask); chmod($nombre_archivo, $umask);
} }
$config['filemanager']['correct_upload_file'] = 1; $config['filemanager']['correct_upload_file'] = 1;
$config['filemanager']['message'] = ui_print_success_message(__('Upload correct'), '', true); ui_print_success_message(__('Upload correct'));
// Delete temporal file // Delete temporal file
unlink($_FILES['file']['tmp_name']); unlink($_FILES['file']['tmp_name']);
@ -193,6 +191,51 @@ if ($upload_file) {
} }
} }
// Upload zip
if ($upload_zip) {
if (isset($_FILES['file']) && $_FILES['file']['name'] != '') {
$filename = $_FILES['file']['name'];
$filesize = $_FILES['file']['size'];
$real_directory = (string) get_parameter('real_directory');
$real_directory = io_safe_output($real_directory);
$directory = (string) get_parameter('directory');
$directory = io_safe_output($directory);
if (strpos($real_directory, $default_real_directory) !== 0) {
// Perform security check to determine whether received upload directory is part of the default path for caller uploader and user is not trying to access an external path (avoid execution of PHP files in directories that are not explicitly controlled by corresponding .htaccess).
ui_print_error_message(__('Security error'));
} else {
// Copy file to directory and change name
if ($directory == '') {
$nombre_archivo = $real_directory.'/'.$filename;
} else {
$nombre_archivo = $homedir_filemanager.'/'.$directory.'/'.$filename;
}
if (! @copy($_FILES['file']['tmp_name'], $nombre_archivo)) {
ui_print_error_message(__('Attach error'));
} else {
// Delete temporal file
unlink($_FILES['file']['tmp_name']);
// Extract the zip file
$zip = new ZipArchive;
$pathname = $homedir_filemanager.'/'.$directory.'/';
if ($zip->open($nombre_archivo) === true) {
$zip->extractTo($pathname);
unlink($nombre_archivo);
}
ui_print_success_message(__('Upload correct'));
$config['filemanager']['correct_upload_file'] = 1;
}
}
}
}
}
if (isset($_SERVER['CONTENT_LENGTH'])) { if (isset($_SERVER['CONTENT_LENGTH'])) {
// Control the max_post_size exceed // Control the max_post_size exceed
if (intval($_SERVER['CONTENT_LENGTH']) > 0 && empty($_POST) and empty($_FILES)) { if (intval($_SERVER['CONTENT_LENGTH']) > 0 && empty($_POST) and empty($_FILES)) {
@ -201,12 +244,18 @@ if (isset($_SERVER['CONTENT_LENGTH'])) {
} }
} }
// Create text file
$create_text_file = (bool) get_parameter('create_text_file'); function create_text_file($default_real_directory)
if ($create_text_file) { {
// Load global vars
global $config; global $config;
$homedir_filemanager = trim($config['homedir']);
$sec2 = get_parameter('sec2');
if ($sec2 == 'enterprise/godmode/agentes/collections' || $sec2 == 'advanced/collections') {
$homedir_filemanager .= '/attachment/collection/';
}
$config['filemanager'] = []; $config['filemanager'] = [];
$config['filemanager']['correct_upload_file'] = 0; $config['filemanager']['correct_upload_file'] = 0;
$config['filemanager']['message'] = null; $config['filemanager']['message'] = null;
@ -228,11 +277,9 @@ if ($create_text_file) {
$directory = io_safe_output($directory); $directory = io_safe_output($directory);
$umask = (string) get_parameter('umask', ''); $umask = (string) get_parameter('umask', '');
$hash = get_parameter('hash', ''); if (strpos($real_directory, $default_real_directory) !== 0) {
$testHash = md5($real_directory.$directory.$config['dbpass']); // Perform security check to determine whether received upload directory is part of the default path for caller uploader and user is not trying to access an external path (avoid execution of PHP files in directories that are not explicitly controlled by corresponding .htaccess).
ui_print_error_message(__('Security error'));
if ($hash != $testHash) {
ui_print_error_message(__('Security error'), '', true);
} else { } else {
if ($directory == '') { if ($directory == '') {
$nombre_archivo = $real_directory.'/'.$filename; $nombre_archivo = $real_directory.'/'.$filename;
@ -241,79 +288,27 @@ if ($create_text_file) {
} }
if (! @touch($nombre_archivo)) { if (! @touch($nombre_archivo)) {
$config['filemanager']['message'] = ui_print_error_message(__('Error creating file'), '', true); $config['filemanager']['message'] = ui_print_error_message(__('Error creating file'));
} else { } else {
if ($umask !== '') { if ($umask !== '') {
chmod($nombre_archivo, $umask); chmod($nombre_archivo, $umask);
} }
$config['filemanager']['message'] = ui_print_success_message(__('Upload correct'), '', true); ui_print_success_message(__('Upload correct'));
$config['filemanager']['correct_upload_file'] = 1; $config['filemanager']['correct_upload_file'] = 1;
} }
} }
} else { } else {
$config['filemanager']['message'] = ui_print_error_message(__('Error creating file with empty name'), '', true); ui_print_error_message(__('Error creating file with empty name'));
} }
} }
// Upload zip
if ($upload_zip) {
// Load global vars
global $config;
$config['filemanager'] = []; $homedir_filemanager = trim($config['homedir']);
$config['filemanager']['correct_upload_file'] = 0; $sec2 = get_parameter('sec2');
$config['filemanager']['message'] = null; if ($sec2 == 'enterprise/godmode/agentes/collections' || $sec2 == 'advanced/collections') {
$homedir_filemanager .= '/attachment/collection/';
check_login();
if (! check_acl($config['id_user'], 0, 'AW')) {
db_pandora_audit('ACL Violation', 'Trying to access File manager');
include 'general/noaccess.php';
return;
}
if (isset($_FILES['file']) && $_FILES['file']['name'] != '') {
$filename = $_FILES['file']['name'];
$filesize = $_FILES['file']['size'];
$real_directory = (string) get_parameter('real_directory');
$real_directory = io_safe_output($real_directory);
$directory = (string) get_parameter('directory');
$directory = io_safe_output($directory);
$hash = get_parameter('hash', '');
$testHash = md5($real_directory.$directory.$config['dbpass']);
if ($hash != $testHash) {
$config['filemanager']['message'] = ui_print_error_message(__('Security error'), '', true);
} else {
// Copy file to directory and change name
if ($directory == '') {
$nombre_archivo = $real_directory.'/'.$filename;
} else {
$nombre_archivo = $homedir_filemanager.'/'.$directory.'/'.$filename;
}
if (! @copy($_FILES['file']['tmp_name'], $nombre_archivo)) {
$config['filemanager']['message'] = ui_print_error_message(__('Attach error'), '', true);
} else {
// Delete temporal file
unlink($_FILES['file']['tmp_name']);
// Extract the zip file
$zip = new ZipArchive;
$pathname = $homedir_filemanager.'/'.$directory.'/';
if ($zip->open($nombre_archivo) === true) {
$zip->extractTo($pathname);
unlink($nombre_archivo);
}
$config['filemanager']['message'] = ui_print_success_message(__('Upload correct'), '', true);
$config['filemanager']['correct_upload_file'] = 1;
}
}
}
} }
// CREATE DIR // CREATE DIR

13
pandora_console/operation/snmpconsole/snmp_mib_uploader.php
View File

@ -69,6 +69,19 @@ $real_directory = realpath($config['homedir'].'/'.$directory);
ui_print_info_message(__('MIB files will be installed on the system. Please note that a MIB may depend on other MIB. To customize trap definitions use the SNMP trap editor.')); ui_print_info_message(__('MIB files will be installed on the system. Please note that a MIB may depend on other MIB. To customize trap definitions use the SNMP trap editor.'));
$upload_file_or_zip = (bool) get_parameter('upload_file_or_zip');
$create_text_file = (bool) get_parameter('create_text_file');
$default_real_directory = realpath($config['homedir'].'/'.$fallback_directory);
if ($upload_file_or_zip) {
upload_file($upload_file_or_zip, $default_real_directory);
}
if ($create_text_file) {
create_text_file($default_real_directory);
}
filemanager_file_explorer( filemanager_file_explorer(
$real_directory, $real_directory,
$directory, $directory,