Found a potential security vulnerability inside the Pandora API. Affected Pandora FMS version range: all versions of NG version, up to OUM 759. This vulnerability could allow an attacker with authenticated IP to inject SQL.
CVE-2022-0507: SQL Injection
Pandora FMS is a monitoring software that collects data from any system, generates alerts based on that data and shows graphs, reports and maps of our environment. There are two versions of Pandora FMS; a free or OpenSource version and a paid or Enterprise version, available starting from 100 devices.
Panadorafms Product: Panadorafms Build 760.
Proof of Concept (PoC):
The remote sql-injection web vulnerability can be exploited by remote attackers with privileged account and without user interaction. For security demonstration or to reproduce the sql injection vulnerability follow the provided information and steps below to continue.
PoC: Example /pandora_console/index.php?sec=view&sec2=operation/devicelist
PoC: Exploitation Name=test&DeviceId=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]
— PoC Session (POST) — https://host/pandora_console/index.php?sec=view&sec2=operation/devicelist Host: host Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Content-Type: application/x-www-form-urlencoded Origin: https://host Connection: keep-alive
Name=test&DeviceId=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]
Solution - Fix & Patch:
- Disallow sql-errors to be displayed in the frontend and backend. Disable to redisplay the broken or malicious query on client-side.
- Use prepared statement to protect the sql query of the post method request
- Restrict the post parameters by disallow the usage of special chars with single or double quotes
- Setup a filter or validation class to deny broken or manipulated sql queries