SSRF in geomap.php
dontqwerty opened this issue · comments
Problem
If a user is able to edit the NagVis global options, he is able to perform a Server-side request forgery.
Explanation
The function geomap_get_contents
uses the PHP function file_get_contents
to retrieve data from the URL specified in the geomap_server
field of the NagVis global options, but there is no validation on the given URL.
Furthermore, as defined here, the content retrieved from the geomap_server
URL is written to the file system (on a predictable path) without validation.
Other info
Here is a screenshot of the global configuration page, which allows setting the geomap_server
field.