Relative Path Traversal to Remote Code Execution in pandorafms/pandorafms

Valid

Reported on

Feb 20th 2022


Description

Pandora FMS v7.0NG.759 allows relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to Remote Code Execution with running application privilege.

Proof of Concept

Affected version: Pandora FMS v7.0NG.759 - OUM 759 - MR 51
Affected component: Console
Affected endpoint:

POST http://$HOST/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager

~

Request file passwd: X4v9W4qP87

Impact

This vulnerability is capable of executing OS Command with running application privilege.

We are processing your report and will contact the pandorafms team within 24 hours. 9 months ago
We have contacted a member of the pandorafms team and are waiting to hear back 9 months ago
We have sent a follow up to the pandorafms team. We will try again in 7 days. 9 months ago
pandorafms/pandorafms maintainer has invalidated this vulnerability 9 months ago

This feature is allowed to upload all type of files. There is a ACL system in Pandora FMS where you can limit the upload of these files.

The disclosure bounty has been dropped
The fix bounty has been dropped
Faisal Fs ⚔️
2 months ago

Researcher


https://nvd.nist.gov/vuln/detail/CVE-2022-1648

Faisal Fs ⚔️
a month ago

Researcher


Pandora FMS Advisory:

image

to join this conversation