Pandora FMS SQL Injection Vulnerability Leading to Remote Code Execution

A SQL injection vulnerability allowing for remote code execution has been identified in Pandora FMS versions 5.0 SP2 and earlier. The issue arises in the mobile/index.php endpoint, where user input in the loginhash_data parameter is not properly sanitized. This lack of validation allows attackers to inject SQL commands, potentially extracting administrator credentials or session tokens. After bypassing authentication, a second vulnerability in the File Manager component enables arbitrary PHP file uploads. The file upload feature fails to restrict MIME types or file extensions, allowing authenticated users to upload web shells to a publicly accessible directory, resulting in remote code execution.

Impact

Exploitation of this vulnerability allows for SQL injection, leading to unauthorized access and extraction of sensitive information such as administrator credentials. This is followed by arbitrary file uploads, which can be exploited to execute malicious code on the server.

Reproduction

To reproduce this vulnerability, send a crafted request to the mobile/index.php endpoint with an injection in the loginhash_data parameter. The SQL injection can be used to extract the administrator password hash from the database. Once the hash is obtained, it can be used to authenticate as an administrator. After successful authentication, access the File Manager component and upload a PHP file, such as a web shell, which can then be executed remotely.

Remediation

Users are advised to update to Pandora FMS version 5.0 SP3 or later, where this vulnerability has been addressed.