SQL injection in "Import Config Files" section

[gzaloprgm]

Hi. I've found a SQL injection vector in the "Import Config Files" section.

Variable values aren't escaped, so a config file with this

Code: Select all

_TESTVARIABLE                  testing' -- SQL comment 

Ends up truncated in the tbl_variabledefinition table:

Code: Select all

| 3472 | _TESTVARIABLE| testing | 1970-02-02 01:01:01 |

I know it's not super critical, since a user that can write to etc/ can probably read the database credentials and execute any query.
The main annoying issue is that it also causes a bug with certain character sequences, for instance, importing a config file with this line breaks the generated config:

Code: Select all

_TESTVARIABLE                  aaaaa\nagios

The bug manifests even if the files are prepared using xiprepimport.

The issue seems to be in /usr/local/nagiosxi/html/includes/components/ccm/classes/import.class.php, in this case

Code: Select all

writeRelation_4

(and other similar functions) should escape most of the strings that are included inside SQL queries.

Thanks,
Gonzalo

[cdienger]

What version of XI are you seeing this with? I've tested with 5.5.5 and do not see the behavior on this version.

[gzaloprgm]

Hi. I am testing it with XI 5.5.5 as well.
Try importing the attached config file.
After importing it, the free variables for that host will be bugged.
Thanks, Gonzalo

[cdienger]

Thanks for that. I was able to reproduce and will file a bug with the dev team regarding this.