Relative Path Traversal to Remote Code Execution in pandorafms/pandorafms


Reported on

Feb 20th 2022


Pandora FMS v7.0NG.759 allows relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to Remote Code Execution with running application privilege.

Proof of Concept

Affected version: Pandora FMS v7.0NG.759 - OUM 759 - MR 51
Affected component: Console
Affected endpoint:

POST http://$HOST/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager


Request file passwd: X4v9W4qP87


This vulnerability is capable of executing OS Command with running application privilege.

We are processing your report and will contact the pandorafms team within 24 hours. 9 months ago
We have contacted a member of the pandorafms team and are waiting to hear back 9 months ago
We have sent a follow up to the pandorafms team. We will try again in 7 days. 9 months ago
pandorafms/pandorafms maintainer has invalidated this vulnerability 9 months ago

This feature is allowed to upload all type of files. There is a ACL system in Pandora FMS where you can limit the upload of these files.

The disclosure bounty has been dropped
The fix bounty has been dropped
Faisal Fs ⚔️
2 months ago


Faisal Fs ⚔️
a month ago


Pandora FMS Advisory:


to join this conversation