Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
CE-22.5
-
None
Description
Version Tested : Observium CE 26.1.14545
*Severity:* High
*Type:* SQL Injection (CWE-89)
-
- Summary
Any logged-in user, regardless of permission level, can run arbitrary SQL against the database through the devices list filters. Setting a filter like `os` to a value such as `SLEEP(5)` executes it directly in the query - no escaping needed.
- Summary
-
- Where
- `includes/db.inc.php` - `is_db_function()` / `db_quote_string()`
- `html/includes/entities/device.inc.php` - `build_devices_where_array()`
- Same pattern also present in `cbqos.inc.php`, `storage.inc.php`, `oid_entry.inc.php`
-
- Root Cause
`is_db_function()` treats any value shaped like `FUNC(...)` as a safe SQL function call if `FUNC` is in the `OBS_DB_FUNCTIONS` whitelist (`includes/constants.inc.php`) - a list of ~250 functions that includes `SLEEP`, `BENCHMARK`, `EXTRACTVALUE`, `UPDATEXML`, `LOAD_FILE`. The only check is that the value doesn't contain a `;`. Contents inside the parentheses are never validated, so a full subquery can be nested there. If it matches, `db_quote_string()` returns the value unescaped and unquoted, straight into the query.
- Root Cause
-
- Steps to Reproduce
1. Log in as any user (tested both an Admin and the lowest-privilege "Limited" account).
2. Request: `GET /index.php?page=devices&os=SLEEP(4)`
3. Response takes several seconds longer than a normal request (confirmed 36s for admin, 12s for a Limited account - page runs the filtered query multiple times for counts/pagination/widgets).
- Steps to Reproduce
-
- Impact
Full read access to the database for any authenticated account, including the lowest-privilege role - user password hashes, SNMP credentials, full device inventory. Also usable as a low-cost DoS via parallel `SLEEP()`/`BENCHMARK()` requests.
- Impact
-
- Verified
Reproduced against a local Docker test instance (PHP 8.2 + MariaDB) on both an Admin and a Limited account.
- Verified