From c44b595c8a2110231cf8e5bc9f65eb98f4c435ef Mon Sep 17 00:00:00 2001
From: alejandro-campos <alejandro.campos@artica.es>
Date: Wed, 22 Jan 2020 17:20:13 +0100
Subject: [PATCH] fixed vulnerability

---
 pandora_console/index.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pandora_console/index.php b/pandora_console/index.php
index 56782fd9ef..c1c9dd5d35 100755
--- a/pandora_console/index.php
+++ b/pandora_console/index.php
@@ -1234,9 +1234,13 @@ if ($searchPage) {
 
             if (isset($_GET['sec2'])) {
                 $file = $_GET['sec2'].'.php';
+                // Make file path absolute to prevent accessing remote files.
+                $file = __DIR__.'/'.$file;
                 // Translate some secs.
                 $main_sec = get_sec($_GET['sec']);
                 $_GET['sec'] = ($main_sec == false) ? $_GET['sec'] : $main_sec;
+
+                // Third condition is aimed to prevent from traversal attack.
                 if (!file_exists($file)
                     || ($_GET['sec2'] != 'general/logon_ok' && enterprise_hook(
                         'enterprise_acl',
@@ -1247,7 +1251,8 @@ if ($searchPage) {
                             true,
                             isset($_GET['sec3']) ? $_GET['sec3'] : '',
                         ]
-                    ) == false)
+                    ) == false
+                    || strpos(realpath($file), __DIR__) === false)
                 ) {
                     unset($_GET['sec2']);
                     include 'general/noaccess.php';