• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Command injection in /fog/management/export.php?filename=

Scheduled Pinned Locked Moved
Security Advisories
1
2
485
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    Tom Elliott
    last edited by Jul 12, 2024, 12:35 PM

    https://github.com/FOGProject/fogproject/security/advisories/GHSA-7h44-6vq6-cq8j

    This should contain any relevant information pertaining directly but the TL;DR;

    There’s known issues with <1.5.10.34 versions of the export script that allow RCE. This has been patched in 1.5.10.34 and up, and the export.php no longer is present on 1.6

    To patch existing versions, use the script in the link or copy this to your fog server and run it:

    #!/bin/bash
    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    
    # Quick patch for GHSA-7h44-6vq6-cq8j
    # source https://github.com/FOGProject/fogproject (dev-branc)
    # based on fix applied to 1.5.10.34
    
    export_hash='ecc84d2ce81f9c3d188758a8ca17519e'
    report_hash='eabb801aab46dd25e6e2cb99df50f746'
    BASE_INSTALL='/var/www/html/fog'
    
    echo "Initiating patch for advasory GHSA-7h44-6vq6-cq8j"
    
    echo "Testing if system is vulnerable"
    # Is the system vulnerable? 
    curl -s -X POST \
        -F 'fogguiuser=fog' \
        -F 'nojson=2' \
        'http://127.0.0.1/fog/management/export.php?filename=%24%28touch+p.txt%29&type=pdf' &> /dev/null
    
    if [[ ! -f "${BASE_INSTALL}/management/p.txt" ]]; then
    	echo "system does not look vulnerable! aborting patch"
    	exit 0
    fi 
    rm -f "${BASE_INSTALL}/management/p.txt"
    echo "System is vulnerable! applying patch..."
    
    # Can we reach github ?
    ping -c1 raw.githubusercontent.com  &> /dev/null
    if [[ "${?}" -ne "0" ]]; then
        echo "Could not reach github. Aborting"
        exit 5
    fi
    
    # Can we modify the files ?
    if [[ "${UID}" -ne "0" ]]; then
        echo "sorry, We need root to make changes under ${BASE_INSTALL}"
        exit 1
    fi
    
    # Are BASE_INSTALL where we expect ? 
    if [[ ! -f "${BASE_INSTALL}/management/export.php" ]]; then
        echo "Could not find ${BASE_INSTALL}/management/export.php" 
        echo "Please, check settings manually"
        exit 2
    fi
    
    # Backup old files. 
    tar -cvpf /root/fogbkp.tar "${BASE_INSTALL}/management/export.php" \
    	"${BASE_INSTALL}/lib/fog/reportmaker.class.php" &> /dev/null
    if [[ ! -f /root/fogbkp.tar ]]; then
    	echo "warning could not backup export.php and reportmaker.class.php"
    	exit 3
    fi
    echo "Created backups fot export.php and reportmaker.class.php  at /root/fogbkp.tar" 
    
    echo "Downloading patches and checking file hashes"
    # Download patches and check hashsum
    curl -s  'https://raw.githubusercontent.com/FOGProject/fogproject/dev-branch/packages/web/management/export.php' -o /root/export.php
    curl -s 'https://raw.githubusercontent.com/FOGProject/fogproject/dev-branch/packages/web/lib/fog/reportmaker.class.php' -o /root/reportmaker.class.php
    if [[ "$(md5sum /root/export.php|awk '{print $1}')" != "${export_hash}" ]]; then
    	echo "export.php was modified! This patch is no longer up to date. Please, update to latest stable release."
    	exit 4
    fi
    if [[ "$(md5sum /root/reportmaker.class.php|awk '{print $1}')" != "${report_hash}" ]]; then
    	echo "reportmaker.class.php was modified! This patch is no longer up to date. Please, update to latest stable release."
    	exit 4
    fi
    
    echo "Fixing file permissions"
    # Adjusting File permissions
    chown www-data:www-data "${BASE_INSTALL}/management/export.php"
    chown www-data:www-data "${BASE_INSTALL}/lib/fog/reportmaker.class.php" 
    chmod 0644 "${BASE_INSTALL}/management/export.php"
    chmod 0644 "${BASE_INSTALL}/lib/fog/reportmaker.class.php"
    
    # Copy patches to destination
    cp -p /root/export.php "${BASE_INSTALL}/management/export.php" && \
    	rm -f /root/export.php 
    cp -p /root/reportmaker.class.php "${BASE_INSTALL}/lib/fog/reportmaker.class.php" && \
    	rm -f /root/reportmaker.class.php
    
    # Cleaning up stuff we no longer need
    rm -f /root/export.php
    rm -f /root/reportmaker.class.php
    
    echo "We have finished patching fog!"
    

    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

    Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

    Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

    T 1 Reply Last reply Jul 12, 2024, 12:39 PM Reply Quote 0
    • T
      Tom Elliott @Tom Elliott
      last edited by Jul 12, 2024, 12:39 PM

      This was reported and tested and reported, as well tested the fix by the github username bluetoothStrawberry.

      Thank you!

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

      1 Reply Last reply Reply Quote 0
      • 1 / 1
      1 / 1
      • First post
        1/2
        Last post

      257

      Online

      12.0k

      Users

      17.3k

      Topics

      155.2k

      Posts
      Copyright © 2012-2024 FOG Project