CVE-2018-15537

Vulnerability

OCS Inventory NG version 1.06.01 and earlier contains an unrestricted file upload vulnerability in the ocsreports component. A privileged user with console access can upload a PHP shell via a specially crafted HTTP request. No validation is performed on the uploaded file type, allowing arbitrary files, including executable scripts, to be written to the download/ directory [1].

Exploitation

An attacker requires valid credentials for a privileged (admin) account in OCS Inventory NG. By crafting a multipart HTTP POST request to the upload functionality, the attacker can embed a PHP file with arbitrary code. The request is sent to the ocsreports page, and the file is stored on the server without any extension or content filtering [1].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary PHP code on the underlying server with the privileges of the web server user. This leads to full compromise of the OCS Inventory NG server, including access to the database and potentially lateral movement within the network [1].

Mitigation

A fix was released in OCS Inventory NG version 1.06.02. Users should upgrade immediately. There is no known workaround for the vulnerability; the only effective mitigation is applying the patch. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1].