Headline
CVE-2023-34096: panorama: fix folder validation · sni/Thruk@cf03f67
Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file panorama.pm is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (.) and the slash (/). A fix is available in version 3.06.2.
Expand Up
@@ -4,6 +4,7 @@ use warnings;
use strict;
use Carp qw/confess/;
use Cpanel::JSON::XS qw/decode_json/;
use Cwd qw/abs_path/;
use Data::Dumper qw/Dumper/;
use Encode qw(encode_utf8);
use File::Copy qw/move copy/;
Expand Down Expand Up
@@ -704,6 +705,14 @@ sub _task_upload {
my $upload = $c->req->uploads->{$type};
my $folder = $c->stash->{’usercontent_folder’}.’/’.$location;
make sure folder is a subfolder of the usercontent folder
my $abs_user = abs_path($c->stash->{’usercontent_folder’});
my $abs_target = abs_path($folder);
if($abs_target !~ m/^\Q$abs_user\E/mx) {
$c->stash->{text} = Thruk::Utils::Filter::json_encode({ ‘msg’ => 'Fileupload must be a subfolder of the user content folder.’, success => Cpanel::JSON::XS::false });
return;
}
if(!-w $folder.’/.’) {
must be text/html result, otherwise extjs form result handler dies
$c->stash->{text} = Thruk::Utils::Filter::json_encode({ ‘msg’ => 'Fileupload must use existing and writable folder.’, success => Cpanel::JSON::XS::false });
Expand Down
Related news
Thruk Monitoring Web Interface versions 3.06 and below are affected by a path traversal vulnerability.