From a203c4cd6ec4897627e328db7228b4ad156af496 Mon Sep 17 00:00:00 2001 From: Kevin Duret Date: Wed, 30 Oct 2019 08:33:15 +0100 Subject: [PATCH] fix(security): fix RCE on mib import from manufacturer input (#8023) Refs: MON-4095 --- .../configObject/traps-mibs/formMibs.php | 48 +++++++++++-------- 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/www/include/configuration/configObject/traps-mibs/formMibs.php b/www/include/configuration/configObject/traps-mibs/formMibs.php index b544a28e66c..3421f4ca6af 100644 --- a/www/include/configuration/configObject/traps-mibs/formMibs.php +++ b/www/include/configuration/configObject/traps-mibs/formMibs.php @@ -62,17 +62,15 @@ function myDecodeMib($arg) /* * Manufacturer information */ -$attrManufacturer= array( +$route = './include/common/webServices/rest/internal.php?object=centreon_configuration_manufacturer&action=list'; +$attrManufacturer = array( 'datasourceOrigin' => 'ajax', - 'availableDatasetRoute' => './include/common/webServices/rest/internal.php?object=centreon_configuration_manufacturer&action=list', + 'availableDatasetRoute' => $route, 'multiple' => false, 'linkedObject' => 'centreonManufacturer' ); -$attrManufacturer1 = array_merge( - $attrManufacturer, - array('defaultDatasetRoute' => './include/common/webServices/rest/internal.php?object=centreon_configuration_manufacturer&action=defaultValues&target=traps&field=manufacturer_id&id=') -); -$form->addElement('select2', 'mnftr', _("Vendor Name"), array(), $attrManufacturer1); + +$form->addElement('select2', 'mnftr', _("Vendor Name"), array(), $attrManufacturer); $form->addElement('file', 'filename', _("File (.mib)")); @@ -106,38 +104,46 @@ function myDecodeMib($arg) */ $subA = $form->addElement('submit', 'submit', _("Import"), array("class" => "btc bt_success")); $form->addElement('header', 'status', _("Status")); -$valid = false; $msg = null; $stdout = null; if ($form->validate()) { $ret = $form->getSubmitValues(); - $fileObj = $form->getElement('filename'); + $manufacturerId = filter_var($ret['mnftr'], FILTER_VALIDATE_INT); - if ($fileObj->isUploadedFile()) { + if ($manufacturerId === false) { + $tpl->assign('msg', 'Wrong manufacturer given.'); + } elseif ($fileObj->isUploadedFile()) { /* * Upload File */ $values = $fileObj->getValue(); $msg .= str_replace("\n", "
", $stdout); - $msg .= "
Moving traps in DataBase..."; + $msg .= "
Moving traps in database..."; + + $command = "@CENTREONTRAPD_BINDIR@/centFillTrapDB -f '" . $values["tmp_name"] + . "' -m " . $manufacturerId . " --severity=info 2>&1"; if ($debug) { - print("@CENTREONTRAPD_BINDIR@/centFillTrapDB -f '".$values["tmp_name"]."' -m ".htmlentities($ret["mnftr"], ENT_QUOTES, "UTF-8")." --severity=info 2>&1"); + print($command); } - $stdout = shell_exec("@CENTREONTRAPD_BINDIR@/centFillTrapDB -f '".$values["tmp_name"]."' -m ".htmlentities($ret["mnftr"], ENT_QUOTES, "UTF-8")." --severity=info 2>&1"); + $stdout = shell_exec($command); unlink($values['tmp_name']); - $msg .= "
".str_replace("\n", "
", $stdout); - $msg .= "
Generate Traps configuration files from Monitoring Engine configuration form!"; - if ($msg) { - if (strlen($msg) > $max_characters) { - $msg = substr($msg, 0, $max_characters)."...".sprintf(_("Message truncated (exceeded %s characters)"), $max_characters); - } - $tpl->assign('msg', $msg); + + if ($stdout === null) { + $msg .= '
An error occured during generation.'; + } else { + $msg .= '
' . str_replace('\n', '
', $stdout) + . '
Generate Traps configuration files from Monitoring Engine configuration form!'; + } + + if (strlen($msg) > $max_characters) { + $msg = substr($msg, 0, $max_characters) . "..." . + sprintf(_("Message truncated (exceeded %s characters)"), $max_characters); } + $tpl->assign('msg', $msg); } - $valid = true; } /*