PHP file upload and remote code execution in Pandora FMS <= 7.42 in the File Manager
The vendor does not want to allow us to upload and execute the PHP file even with an Admin account in Pandora FMS. They introduced a protection mechanism in the File Manager to solve the issue. Unfortunately, the applied solution is not enough to block an attacker. I reported the problem to the vendor and they fixed it in the Pandora FMS 7.43? version.
Note: The vulnerability exploitable only with a Web Admin account.
Interestingly the File Manager allows us to upload PHP files, but it is not possible to execute them via the File Manager. The vendor solved it with a tricky get_file.php, which gives back the contents of a PHP file, so it is not possible to execute it via the File Manager.
I checked the upload process. The name of the PHP file remains the original and the exact path and the exact filename is known (and controllable) by the uploader.
The only thing that is missing is a folder where the attacker can store the PHP file, which is accessible from outside. Unfortunately there are folders with this property e.g: http(s)://.../pandora_console/images/backgrounds/. It is possible to create a directory with the File Manager. Unfortunately, the permission of the newly created folder and the file doesn't set properly.
Execute it with curl: