Merge branch 'ent-5324-Remote-file-inclusion-phar-object-injection-as-lowest-privileged-user' into 'develop'

fixed vulnerability See merge request artica/pandorafms!3023
2020-01-23 11:04:40 +01:00 · 2020-01-23 11:04:40 +01:00 · a0ef0e1ee1
parent 2447514c41 c44b595c8a
commit a0ef0e1ee1
1 changed files with 6 additions and 1 deletions
--- a/pandora_console/index.php
+++ b/pandora_console/index.php
@ -1234,9 +1234,13 @@ if ($searchPage) {

            if (isset($_GET['sec2'])) {
                $file = $_GET['sec2'].'.php';
+                // Make file path absolute to prevent accessing remote files.
+                $file = __DIR__.'/'.$file;
                // Translate some secs.
                $main_sec = get_sec($_GET['sec']);
                $_GET['sec'] = ($main_sec == false) ? $_GET['sec'] : $main_sec;
+
+                // Third condition is aimed to prevent from traversal attack.
                if (!file_exists($file)
                    || ($_GET['sec2'] != 'general/logon_ok' && enterprise_hook(
                        'enterprise_acl',
@ -1247,7 +1251,8 @@ if ($searchPage) {
                            true,
                            isset($_GET['sec3']) ? $_GET['sec3'] : '',
                        ]
-                    ) == false)
+                    ) == false
+                    || strpos(realpath($file), __DIR__) === false)
                ) {
                    unset($_GET['sec2']);
                    include 'general/noaccess.php';