HOR-4017 CLONE 3.2.2 - Unauthenticated download of any file from server with "processes/processes_GetFile" page + Path Traversal
- Add validation path only PATH_DATA_MAILTEMPLATES or PATH_DATA_PUBLIC
This commit is contained in:
Marco Antonio Nina Mena
@@ -181,6 +181,10 @@ class RBAC
|
|||||||
'DEL' => ['PM_SETUP'],
|
'DEL' => ['PM_SETUP'],
|
||||||
'LST' => ['PM_SETUP'],
|
'LST' => ['PM_SETUP'],
|
||||||
'TEST' => ['PM_SETUP']
|
'TEST' => ['PM_SETUP']
|
||||||
|
],
|
||||||
|
'processes_GetFile.php' => [
|
||||||
|
'mailTemplates' => ['PM_FACTORY'],
|
||||||
|
'public' => ['PM_FACTORY']
|
||||||
]
|
]
|
||||||
];
|
];
|
||||||
$this->aliasPermissions['PM_CASES'] = [self::PM_GUEST_CASE];
|
$this->aliasPermissions['PM_CASES'] = [self::PM_GUEST_CASE];
|
||||||
|
|||||||
@@ -1,18 +1,32 @@
|
|||||||
<?php
|
<?php
|
||||||
switch ($_GET['MAIN_DIRECTORY']) {
|
global $RBAC;
|
||||||
|
$RBAC->allows(basename(__FILE__), $_GET['MAIN_DIRECTORY']);
|
||||||
|
|
||||||
|
$mainDirectory = !empty($_GET['MAIN_DIRECTORY']) ? $_GET['MAIN_DIRECTORY'] : '';
|
||||||
|
$proUid = !empty($_GET['PRO_UID']) ? $_GET['PRO_UID'] : '';
|
||||||
|
$currentDirectory = !empty($_GET['CURRENT_DIRECTORY']) ? realpath($_GET['CURRENT_DIRECTORY']) . PATH_SEP : '';
|
||||||
|
$file = !empty($_GET['FILE']) ? realpath($_GET['FILE']) : '';
|
||||||
|
$extension = (!empty($_GET['sFilextension']) && $_GET['sFilextension'] === 'javascript') ? '.js' : '';
|
||||||
|
|
||||||
|
//validated process exists, return throw if not exists.
|
||||||
|
$process = new Process();
|
||||||
|
$process->load($proUid);
|
||||||
|
|
||||||
|
switch ($mainDirectory) {
|
||||||
case 'mailTemplates':
|
case 'mailTemplates':
|
||||||
$sDirectory = PATH_DATA_MAILTEMPLATES . $_GET['PRO_UID'] . PATH_SEP . ($_GET['CURRENT_DIRECTORY'] != '' ? $_GET['CURRENT_DIRECTORY'] . PATH_SEP : '');
|
$directory = PATH_DATA_MAILTEMPLATES;
|
||||||
break;
|
break;
|
||||||
case 'public':
|
case 'public':
|
||||||
$sDirectory = PATH_DATA_PUBLIC . $_GET['PRO_UID'] . PATH_SEP . ($_GET['CURRENT_DIRECTORY'] != '' ? $_GET['CURRENT_DIRECTORY'] . PATH_SEP : '');
|
$directory = PATH_DATA_PUBLIC;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
die();
|
die();
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
//fixed: added a file extension when is a javascript file by krlos
|
|
||||||
$_GET['FILE'] .= ($_GET['sFilextension'] != '' && $_GET['sFilextension'] == 'javascript') ? '.js' : '';
|
|
||||||
|
|
||||||
if (file_exists( $sDirectory . $_GET['FILE'] )) {
|
$directory .= $proUid . PATH_SEP . $currentDirectory;
|
||||||
G::streamFile( $sDirectory . $_GET['FILE'], true );
|
$file .= $extension;
|
||||||
|
|
||||||
|
if (file_exists($directory . $file)) {
|
||||||
|
G::streamFile($directory . $file, true);
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user