CVE-2023-41788
📋 TL;DR
This vulnerability allows attackers to upload PHP files to Pandora FMS servers without proper restrictions, enabling remote code execution. It affects all Pandora FMS installations running versions 700 through 773. Attackers can gain full control of affected systems.
💻 Affected Systems
- Pandora FMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining root/admin privileges, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Webshell deployment leading to data theft, credential harvesting, and further exploitation of the network.
If Mitigated
No impact if file uploads are properly restricted and PHP execution is disabled in upload directories.
🎯 Exploit Status
Simple file upload exploitation with publicly available proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 774 or later
Vendor Advisory: https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
Restart Required: Yes
Instructions:
1. Backup your Pandora FMS installation and database. 2. Download version 774 or later from the official Pandora FMS website. 3. Follow the official upgrade documentation for your specific deployment method. 4. Restart all Pandora FMS services after upgrade.
🔧 Temporary Workarounds
Restrict PHP file uploads
allConfigure web server to block PHP file uploads and execution in upload directories
# For Apache: Add to .htaccess in upload directory
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
# For Nginx: Add to server block
location ~ \.php$ {
deny all;
return 403;
}
Implement file type validation
allAdd server-side validation to reject PHP and other executable file types
# Example PHP validation snippet
$allowed_types = ['jpg', 'png', 'pdf', 'txt'];
$file_ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
if (!in_array($file_ext, $allowed_types)) {
die('Invalid file type');
}
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Pandora FMS servers from critical systems
- Deploy web application firewall (WAF) with rules to block PHP file uploads and suspicious upload patterns
🔍 How to Verify
Check if Vulnerable:
Check Pandora FMS version via web interface (Help → About) or console command: cat /usr/share/pandora_server/PANDORA_VERSIONCheck Version:
cat /usr/share/pandora_server/PANDORA_VERSION 2>/dev/null || grep 'version' /var/www/html/pandora_console/include/config.phpVerify Fix Applied:
Confirm version is 774 or higher and test file upload functionality with PHP files (should be rejected)📡 Detection & Monitoring
Log Indicators:
- Multiple failed PHP file upload attempts
- Successful upload of .php files to upload directories
- Unusual POST requests to file upload endpoints
Network Indicators:
- HTTP POST requests with PHP file content to /pandora_console/upload endpoints
- Outbound connections from Pandora FMS server to unknown IPs
SIEM Query:
source="pandora_access.log" (POST AND upload AND ".php") OR source="pandora_error.log" (upload AND php)