This repository has been archived by the owner on Dec 13, 2022. It is now read-only.
fix(secu): rce vulnerability when using command's testing feature #7232
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sc979
changed the title
This was referenced Feb 26, 2019
jdelpierre
approved these changes
Feb 27, 2019
sc979
force-pushed
the
MON-3310-authenticated-rce-minplay-command
branch
from
d5a6a3a to
b45f617
Compare
miteto
approved these changes
Feb 27, 2019
victorvassilev
approved these changes
Feb 27, 2019
Concatenation of unsanitized command_hostaddress GET parameter to shell_exec leads to remote code execution. Note: there is too much crafting/filtering going on in this module to be confident in anything: * GET variables are filtered earlier, e.g. "'" becomes "'" * GET command_line is urldecoded * some args are escapeshellargs() * some commands are escapeshellcmd() * AFTER that there are some str_replace (which is what I abused) * then there's a path traversal check * then the command is executed Exploitation example ==================== http://192.168.56.103/centreon/main.php?p=60801&type=2&min=1&command_line=/usr/lib64/nagios/plugins%20@DOLLAR@HOSTADDRESS@DOLLAR@&command_hostaddress=$(touch%20/tmp/coucou); (note: need to set POST variables o1 and o2 to 'p') [root@centreon-central ~]# find /tmp/ -type f /tmp/systemd-private-7b84d445a6284536b1db91a498bafc4d-rh-php71-php-fpm.service-iTZJzF/tmp/coucou
sc979
force-pushed
the
MON-3310-authenticated-rce-minplay-command
branch
from
b45f617 to
6f30c41
Compare
victorvassilev
added a commit
that referenced
this pull request
Mar 22, 2019
* fix(security): fix vulnearability for file loading Disallow inclusion of files from incorrect folders in broker performance. Resolves: MON-3312 * style: psr2 * feat(clapi) add acknowledgement in clapi * add acknowledgement by clapi * add doc * add acceptance * fix(deadCode): removing file unused since a previous major release (#7229) * enh(doc): improved English documentation, thanks to jefestyler (#7238) * fix(doc): add entry in toc and correct table format * Doc improve install chapters (#7239) * fix(doc): readd quickstart shortlink * enh(doc): add configuration of proxy in post installation * fix(front): manage properly session expiration + avoid login inception (#7202) * fix(sec): allow to set illegal characters for centcore (#7206) * fix(sec): allow to set illegal characters for centcore * add french translation for centcore illegal characters * update properly centcore parameter in database * move upgrade script * fix(secu): rce vulnerability when using command's testing feature (#7232) * fix(secu): Authenticated RCE in minPlayCommand.php Concatenation of unsanitized command_hostaddress GET parameter to shell_exec leads to remote code execution. * fix: rce vulnerability when using testing feature * release note for 19.04.0 * style(PSR2) * enh(CI): fixing UTF warnings * feat(API) API to Get/Set/Export/Import Command Arg Descriptions * feat(API) Add showinstance CLAPI command to Host (#7199) * enh(doc): Improved disk space calculation table * enh(doc): add workbook to calculate the size of the platform * doc(release notes): Add missing release notes from 2.8.x * enh(doc): improve poller configuration Conflicts: doc/en/administration_guide/poller/wizard_add_poller.rst * enh(doc): Add custom code description for SNMP trap * fix(doc): Remove 2.5 description in trap documentation * enh(doc): add order of achievement of actions by the centreontrapd process * fix(doc): correct location of database conf for trap on poller - ref #7011 * fix(doc): correct typo * fix(doc): remove unsued image * fix(doc): enable services after remote server installation (#7027) * fix(doc): enable services after remote server installation * fix(doc): add enable_services.rst * enh(doc): Update upgradetoCentreon18.10.rst (#6934) Update FR & EN chapter to manage MySQL migration from Centreon 3.4.x to Centreon 18.10.x * fix(doc): describe directory of XML files for partitioning * enh(ui) : indent third level menu (#7251) * enh(DT): fix search filter for recurrent downtimes (#7201) * Mon 3112 fix source install (#7160) * fix(install): fix installation from sources on 18.10.x * fix(security): fix vulnearability for file loading Disallow inclusion of files from incorrect folders in broker performance. Resolves: MON-3312 * style: psr2
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Original author : @gquere
Adding : bindValue methods to prevent SQL injection and PSR2
Authenticated RCE
An RCE was exploitable in minPlayCommand.php
Check :
https://github.com/centreon/centreon/pull/7099
Fixes # (issue) : none
Type of change
Target serie
How this pull request can be tested ?
Ask me in private please.
Checklist
Community contributors & Centreon team
Centreon team only