OCSInventory-ocsreports
OCSInventory-ocsreports copied to clipboard
[BUG]
Can anyone tell me if this BUG is fixed or not ? because when i ran a scan of vulnerability i found that this probleme will not fixed and still the same issue
OCS Inventory NG could allow a remote authenticated attacker to upload arbitrary files . By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system CVE-2018-15537
Thank you
Is this solution acceptable? replace
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
with
<IfModule mod_php5.c>
<IfModule mod_mime.c>
AddType application/x-httpd-php .php
</IfModule>
<FilesMatch ".+\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
You are talking about changing this in /etc/apache2/conf-available/ocsinventory-reports.conf
right?
Then for me this would also need an adaption for the PHP7.x config part
<IfModule mod_php7.c>
<IfModule mod_mime.c>
AddType application/x-httpd-php .php
</IfModule>
<FilesMatch ".+\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
I just applied the changes to my production setup and will tryx if it fixed this security issue. Will report back.
Just so far:
From my perspective the follwing quote of the thread author and the CVE is misleading if not read carefully as I would think it affects every server without logging in.
OCS Inventory NG could allow a remote authenticated attacker to upload arbitrary files . By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system CVE-2018-15537
So before this request can be sent OCS Inventory NG needs me to login first. As long as I'm the only user on the system I don't care about this vulnerability as much as I would if it would be publicly accessible.
Also the page which is requested in the CVE doesn't exist anymore.
/ocsreports/?function=tele_pack
brings up the message "page not found !!!!"
So as I don't have more than one user on the system the problem is not really affecting me and I can't test it further. But I applied your improvement @Minikea without any problems. Unfortunately I can't say if it helps.
Hi,
We fixed this issue in the 2.10 if I'm not mistaken.
Also we provide a wiki page with all the good practices : https://wiki.ocsinventory-ng.org/09.Extras/Secure-your-OCS-Inventory-NG-Server/#secure-your-ocs-inventory-ng-server
Regards, Gilles.