PHP file upload and remote code execution in Pandora FMS <= 7.42 in the File Repository

cve-2020-8511

The vendor does not want to allow us to upload and execute the PHP file even with an Admin account in Pandora FMS. They introduced a protection mechanism to solve the issue. Unfortunately, the applied solution is not enough to block an attacker. It is very similar like (cve-2020-7935), but it is not the same.

Technical Details

Note: The vulnerability exploitable only with a Web Admin account.

tools->File Repository -> Management View

Interestingly the File Repository allows us to upload PHP files, but it is not possible to execute them via the File Repository. The vendor solved it with a tricky get_file.php, which gives back the contents of a PHP file.

1

The filename can change during the upload, but the exact filename visible in the form.

2

The system stores the files in http://.../pandora_console/attachment/file_repo/ directory. Unfortunately this folder is acessible without any authentication. These "privately shared" files could contain sensitive information, the users can use it as an "internal" file sharing, but it is not internal and is not private.

Proof

4

Additional content

Demo video