Merge branch 'ent-5324-Remote-file-inclusion-phar-object-injection-as-lowest-privileged-user' into 'develop'

fixed vulnerability

See merge request artica/pandorafms!3023
This commit is contained in:
Daniel Rodriguez 2020-01-23 11:04:40 +01:00
commit a0ef0e1ee1
1 changed files with 6 additions and 1 deletions

View File

@ -1234,9 +1234,13 @@ if ($searchPage) {
if (isset($_GET['sec2'])) {
$file = $_GET['sec2'].'.php';
// Make file path absolute to prevent accessing remote files.
$file = __DIR__.'/'.$file;
// Translate some secs.
$main_sec = get_sec($_GET['sec']);
$_GET['sec'] = ($main_sec == false) ? $_GET['sec'] : $main_sec;
// Third condition is aimed to prevent from traversal attack.
if (!file_exists($file)
|| ($_GET['sec2'] != 'general/logon_ok' && enterprise_hook(
'enterprise_acl',
@ -1247,7 +1251,8 @@ if ($searchPage) {
true,
isset($_GET['sec3']) ? $_GET['sec3'] : '',
]
) == false)
) == false
|| strpos(realpath($file), __DIR__) === false)
) {
unset($_GET['sec2']);
include 'general/noaccess.php';