SQL injection in "Import Config Files" section
Posted: Tue Oct 30, 2018 9:49 am
Hi. I've found a SQL injection vector in the "Import Config Files" section.
Variable values aren't escaped, so a config file with this
Ends up truncated in the tbl_variabledefinition table:
I know it's not super critical, since a user that can write to etc/ can probably read the database credentials and execute any query.
The main annoying issue is that it also causes a bug with certain character sequences, for instance, importing a config file with this line breaks the generated config:
The bug manifests even if the files are prepared using xiprepimport.
The issue seems to be in /usr/local/nagiosxi/html/includes/components/ccm/classes/import.class.php, in this case (and other similar functions) should escape most of the strings that are included inside SQL queries.
Thanks,
Gonzalo
Variable values aren't escaped, so a config file with this
Code: Select all
_TESTVARIABLE testing' -- SQL comment Code: Select all
| 3472 | _TESTVARIABLE| testing | 1970-02-02 01:01:01 |The main annoying issue is that it also causes a bug with certain character sequences, for instance, importing a config file with this line breaks the generated config:
Code: Select all
_TESTVARIABLE aaaaa\nagiosThe bug manifests even if the files are prepared using xiprepimport.
The issue seems to be in /usr/local/nagiosxi/html/includes/components/ccm/classes/import.class.php, in this case
Code: Select all
writeRelation_4Thanks,
Gonzalo