OCSInventory-ocsreports icon indicating copy to clipboard operation
OCSInventory-ocsreports copied to clipboard

Published 20 hours ago verified publisher icon OCSInventory-NG

[BUG]

Open badisorfesprit opened this issue 2 years ago • 3 comments

Can anyone tell me if this BUG is fixed or not ? because when i ran a scan of vulnerability i found that this probleme will not fixed and still the same issue

OCS Inventory NG could allow a remote authenticated attacker to upload arbitrary files . By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system CVE-2018-15537

Thank you

badisorfesprit avatar Jan 10 '22 13:01 badisorfesprit

Is this solution acceptable? replace

 <IfModule mod_php5.c>
        AddType application/x-httpd-php .php

with

  <IfModule mod_php5.c>
        <IfModule mod_mime.c>
            AddType application/x-httpd-php .php
        </IfModule>
        <FilesMatch ".+\.php$">
            SetHandler application/x-httpd-php
        </FilesMatch>

Minikea avatar Jan 18 '22 14:01 Minikea

You are talking about changing this in /etc/apache2/conf-available/ocsinventory-reports.conf right?

Then for me this would also need an adaption for the PHP7.x config part

<IfModule mod_php7.c>
        <IfModule mod_mime.c>
            AddType application/x-httpd-php .php
        </IfModule>
        <FilesMatch ".+\.php$">
            SetHandler application/x-httpd-php
        </FilesMatch>

I just applied the changes to my production setup and will tryx if it fixed this security issue. Will report back.

codiflow avatar Jan 31 '22 16:01 codiflow

Just so far:

From my perspective the follwing quote of the thread author and the CVE is misleading if not read carefully as I would think it affects every server without logging in.

OCS Inventory NG could allow a remote authenticated attacker to upload arbitrary files . By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system CVE-2018-15537

So before this request can be sent OCS Inventory NG needs me to login first. As long as I'm the only user on the system I don't care about this vulnerability as much as I would if it would be publicly accessible.

Also the page which is requested in the CVE doesn't exist anymore. /ocsreports/?function=tele_pack brings up the message "page not found !!!!"

So as I don't have more than one user on the system the problem is not really affecting me and I can't test it further. But I applied your improvement @Minikea without any problems. Unfortunately I can't say if it helps.

codiflow avatar Jan 31 '22 16:01 codiflow

Hi,

We fixed this issue in the 2.10 if I'm not mistaken.

Also we provide a wiki page with all the good practices : https://wiki.ocsinventory-ng.org/09.Extras/Secure-your-OCS-Inventory-NG-Server/#secure-your-ocs-inventory-ng-server

Regards, Gilles.

gillesdubois avatar Sep 29 '22 15:09 gillesdubois