LibreNMS Time-Based Blind SQL Injection Vulnerability in Address Search

A time-based blind SQL injection vulnerability has been identified in LibreNMS versions through 25.12.0. The issue resides in the 'address-search.inc.php' file, specifically within the 'address' parameter. The vulnerability allows authenticated users to manipulate SQL queries and infer database information based on the time taken for responses. This exploitation occurs by crafting specific subnet prefixes that are concatenated into SQL queries without proper parameter binding.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL commands, leading to unauthorized data access or manipulation. In this case, it could be used to extract sensitive information from the database, including administrative credentials.

Reproduction

To reproduce this vulnerability, send a POST request to '/ajax_table.php' with a crafted 'address' parameter that includes SQL injection payloads. The injection point is within the 'ipv4' address search type. The vulnerability can be exploited by any authenticated user.

Remediation

Users are advised to update to LibreNMS version 26.2.0 or later, where this vulnerability has been fixed.