tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixed vulnerability

This commit is contained in:
alejandro-campos 2020-01-22 17:20:13 +01:00
parent 738361d237
commit c44b595c8a
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pandora_console/index.php
View File

@ -1234,9 +1234,13 @@ if ($searchPage) {
if (isset($_GET['sec2'])) { if (isset($_GET['sec2'])) {
$file = $_GET['sec2'].'.php'; $file = $_GET['sec2'].'.php';
// Make file path absolute to prevent accessing remote files.
$file = __DIR__.'/'.$file;
// Translate some secs. // Translate some secs.
$main_sec = get_sec($_GET['sec']); $main_sec = get_sec($_GET['sec']);
$_GET['sec'] = ($main_sec == false) ? $_GET['sec'] : $main_sec; $_GET['sec'] = ($main_sec == false) ? $_GET['sec'] : $main_sec;
// Third condition is aimed to prevent from traversal attack.
if (!file_exists($file) if (!file_exists($file)
|| ($_GET['sec2'] != 'general/logon_ok' && enterprise_hook( || ($_GET['sec2'] != 'general/logon_ok' && enterprise_hook(
'enterprise_acl', 'enterprise_acl',
@ -1247,7 +1251,8 @@ if ($searchPage) {
true, true,
isset($_GET['sec3']) ? $_GET['sec3'] : '', isset($_GET['sec3']) ? $_GET['sec3'] : '',
] ]
) == false) ) == false
|| strpos(realpath($file), __DIR__) === false)
) { ) {
unset($_GET['sec2']); unset($_GET['sec2']);
include 'general/noaccess.php'; include 'general/noaccess.php';