Relative Path Traversal to Remote Code Execution in pandorafms/pandorafms


Reported on

Feb 20th 2022


Pandora FMS v7.0NG.759 allows relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to Remote Code Execution with running application privilege.

Proof of Concept

Affected version: Pandora FMS v7.0NG.759 - OUM 759 - MR 51
Affected component: Console
Affected endpoint:

POST http://$HOST/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager


Request file passwd: X4v9W4qP87


This vulnerability is capable of executing OS Command with running application privilege.

We are processing your report and will contact the pandorafms team within 24 hours. 2 years ago
We have contacted a member of the pandorafms team and are waiting to hear back 2 years ago
We have sent a follow up to the pandorafms team. We will try again in 7 days. 2 years ago
pandorafms/pandorafms maintainer has invalidated this vulnerability 2 years ago

This feature is allowed to upload all type of files. There is a ACL system in Pandora FMS where you can limit the upload of these files.

The disclosure bounty has been dropped
The fix bounty has been dropped
Faisal Fs ⚔️
a year ago


Faisal Fs ⚔️
a year ago


Pandora FMS Advisory:


to join this conversation