Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-5245

Blind SQL injection in the devices list filters

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • CE-22.5
    • Web Interface
    • None

    Description

      Version Tested : Observium CE 26.1.14545

      *Severity:* High
      *Type:* SQL Injection (CWE-89)

        1. Summary
          Any logged-in user, regardless of permission level, can run arbitrary SQL against the database through the devices list filters. Setting a filter like `os` to a value such as `SLEEP(5)` executes it directly in the query - no escaping needed.
        1. Where
      • `includes/db.inc.php` - `is_db_function()` / `db_quote_string()`
      • `html/includes/entities/device.inc.php` - `build_devices_where_array()`
      • Same pattern also present in `cbqos.inc.php`, `storage.inc.php`, `oid_entry.inc.php`
        1. Root Cause
          `is_db_function()` treats any value shaped like `FUNC(...)` as a safe SQL function call if `FUNC` is in the `OBS_DB_FUNCTIONS` whitelist (`includes/constants.inc.php`) - a list of ~250 functions that includes `SLEEP`, `BENCHMARK`, `EXTRACTVALUE`, `UPDATEXML`, `LOAD_FILE`. The only check is that the value doesn't contain a `;`. Contents inside the parentheses are never validated, so a full subquery can be nested there. If it matches, `db_quote_string()` returns the value unescaped and unquoted, straight into the query.
        1. Steps to Reproduce
          1. Log in as any user (tested both an Admin and the lowest-privilege "Limited" account).
          2. Request: `GET /index.php?page=devices&os=SLEEP(4)`
          3. Response takes several seconds longer than a normal request (confirmed 36s for admin, 12s for a Limited account - page runs the filtered query multiple times for counts/pagination/widgets).
        1. Impact
          Full read access to the database for any authenticated account, including the lowest-privilege role - user password hashes, SNMP credentials, full device inventory. Also usable as a low-cost DoS via parallel `SLEEP()`/`BENCHMARK()` requests.
        1. Verified
          Reproduced against a local Docker test instance (PHP 8.2 + MariaDB) on both an Admin and a Limited account.

      Attachments

        Activity

          People

            adama Adam Armstrong
            tinyb0y tinyb0y
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: