LibreNMS SQL Injection Vulnerability in IPv6 Address Search

A SQL injection vulnerability has been identified in LibreNMS versions prior to 25.12.0. The issue arises in the 'ajax_table.php' endpoint, where user input for IPv6 address searches is not properly sanitized or parameterized. Specifically, the 'address' parameter is split into an address and a prefix, with the prefix being directly concatenated into the SQL query without validation. This flaw allows attackers to inject arbitrary SQL commands, potentially leading to unauthorized data access or manipulation. The vulnerability has been patched in version 26.2.0.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which could be used to access or manipulate database information without authorization.

Reproduction

To reproduce this vulnerability, send a POST request to the 'ajax_table.php' endpoint with the 'search_type' set to 'ipv6' and the 'address' parameter crafted to include a prefix that exploits the SQL query construction. The injected SQL payload should be designed to manipulate the SQL query execution, taking advantage of the direct concatenation of the prefix into the SQL string.

Remediation

Users are advised to update LibreNMS to version 26.2.0 or later.