LibreNMS Local File Inclusion Vulnerability in NFSen Module

A Local File Inclusion (LFI) vulnerability has been identified in the NFSen module of LibreNMS versions 22.11.0-23-gd091788f2. This vulnerability allows authenticated attackers to include arbitrary PHP files from the server filesystem by exploiting path traversal sequences in the 'nfsen' parameter. The issue arises because user input is directly concatenated into the 'include()' statement without proper sanitization, and the only validation performed is a file existence check that does not prevent path traversal.

Impact

Exploitation of this vulnerability allows for Local File Inclusion, where an attacker can include and execute arbitrary '.inc.php' files. This could lead to privilege escalation by accessing admin-only pages as a low-privileged user. Additionally, if an attacker can control the content of the included '.inc.php' files, it could potentially result in remote code execution.

Reproduction

To reproduce this vulnerability, log into LibreNMS as an authenticated user and navigate to a device's Netflow tab. Once there, append a path traversal payload to the 'nfsen' parameter in the URL. If successful, the API Access page content will be loaded instead of the normal NFSen content, demonstrating that the vulnerability has been exploited.

Remediation

It is recommended to implement whitelist-based validation for the 'nfsen' parameter or to use the 'basename()' function to strip path traversal characters before including the file.