Nagios XI <= 5.7.5 allows authenticated admins to upload arbitrary files due to improper validation of the rename functionality in custom-includes component.
The custom includes components allows uploading various file types such as .css, .js, .png, and some more.
When uploading an image file, there is also an option to rename the file, the renaming code is pretty straightforward:
function rename_file()
{
$error = false;
$id = grab_request_var('id', '');
$name = grab_request_var('name', '');
$newname = stripcslashes(trim($name));
if (empty($id) || empty($name)) { $error = true; }
if (!$error) {
$images = get_array_option('custom_includes_files_images');
$i = $images[$id];
// Rename the file and send back json
$x = rename($i['dir'].'/'.$i['name'], $i['dir'].'/'.$newname);
if ($x === false) {
$error = true;
} else {
// Rename the database entry
$images[$id]['name'] = $newname;
set_array_option('custom_includes_files_images', $images);
}
}
if ($error) {
echo json_encode(array('error' => 1, 'msg' => _('Could not rename file. Check file permissions.')));
} else {
echo json_encode(array('error' => 0, 'msg' => _('Renamed successfully')));
}
}
As you can see, it takes the id of the old image, the name of the new image, and then renaming it.
There is no file name is validation at all, which allows the attacker not only to directory traversal but also to rename the file with any extension we want.
Which as a result, the attacker can upload arbitrary files.