IPFire SQL Injection Vulnerability in OpenVPN Connection Logs

A SQL injection vulnerability has been identified in IPFire versions prior to 2.29 (Core Update 198). This vulnerability allows authenticated attackers to manipulate SQL queries when viewing OpenVPN connection logs, specifically through the CONNECTION_NAME parameter. The issue arises because the application fails to properly sanitize or parameterize the CONNECTION_NAME value before inserting it into the SQL query's WHERE clause. As a result, attackers can exploit this flaw to alter the query execution and potentially access sensitive database information.

Impact

Exploitation of this vulnerability could lead to unauthorized database access and information disclosure.

Reproduction

To reproduce this vulnerability, an authenticated user can send an HTTP POST request to '/cgi-bin/logs.cgi/ovpnclients.dat' including a crafted CONNECTION_NAME parameter. The application will process the unsanitized parameter value, allowing the attacker to manipulate the SQL query and extract sensitive information from the database.

Remediation

Users are advised to update to IPFire version 2.29 (Core Update 198) or later, where this vulnerability has been patched.