LibreNMS Boolean-Based Blind SQL Injection Vulnerability in ajax_output.php Endpoint

A boolean-based blind SQL injection vulnerability has been identified in LibreNMS versions prior to 25.11.0. The issue occurs in the application’s ajax_output.php endpoint, where the hostname parameter is directly inserted into an SQL query without adequate sanitization or parameter binding. This vulnerability allows attackers to manipulate the query logic and infer data from the database based on the application's conditional responses. Exploitation requires admin privileges to access the affected endpoint.

Impact

Exploitation of this vulnerability allows for boolean-based blind SQL injection, where an attacker can manipulate SQL query logic and infer database information through crafted conditions. This could lead to unauthorized data access or manipulation within the LibreNMS application.

Reproduction

To reproduce this vulnerability, authenticate with an administrator account and access the '/ajax_output.php' endpoint. Include a payload in the hostname parameter that exploits the SQL injection vulnerability by injecting boolean logic. Observe the application's response to confirm the injection was successful.

Remediation

Users are advised to update LibreNMS to version 25.11.0 or later, where this vulnerability has been patched.