tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-27 15:54:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-5324-Remote-file-inclusion-phar-object-injection-as-lowest-privileged-user' into 'develop'

Browse Source 
fixed vulnerability

See merge request artica/pandorafms!3023
This commit is contained in:
Daniel Rodriguez 2020-01-23 11:04:40 +01:00
commit a0ef0e1ee1
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pandora_console/index.php
View File

@ -1234,9 +1234,13 @@ if ($searchPage) {
if (isset($_GET['sec2'])) { if (isset($_GET['sec2'])) {
$file = $_GET['sec2'].'.php'; $file = $_GET['sec2'].'.php';
// Make file path absolute to prevent accessing remote files.
$file = __DIR__.'/'.$file;
// Translate some secs. // Translate some secs.
$main_sec = get_sec($_GET['sec']); $main_sec = get_sec($_GET['sec']);
$_GET['sec'] = ($main_sec == false) ? $_GET['sec'] : $main_sec; $_GET['sec'] = ($main_sec == false) ? $_GET['sec'] : $main_sec;
// Third condition is aimed to prevent from traversal attack.
if (!file_exists($file) if (!file_exists($file)
|| ($_GET['sec2'] != 'general/logon_ok' && enterprise_hook( || ($_GET['sec2'] != 'general/logon_ok' && enterprise_hook(
'enterprise_acl', 'enterprise_acl',
@ -1247,7 +1251,8 @@ if ($searchPage) {
true, true,
isset($_GET['sec3']) ? $_GET['sec3'] : '', isset($_GET['sec3']) ? $_GET['sec3'] : '',
] ]
) == false) ) == false
|| strpos(realpath($file), __DIR__) === false)
) { ) {
unset($_GET['sec2']); unset($_GET['sec2']);
include 'general/noaccess.php'; include 'general/noaccess.php';