I'm Daniel França Lima and i'm a penetration tester Jr and vulnerability researcher at Hakai Offensive Security. In order to help the hacking community, companies and also improve my skills, I periodically look for flaws in market applications with the goal of achieving responsible disclosure.
Centreon is a system and network asset monitoring solution based on the Nagios standard, being open source, and allowing easy and effective installation and implementation, monitoring and performance management.
When analyzing the application, it was possible to find a sql injection vulnerability in the esc_name(Escalation Name) parameter located at “Configuration/Notifications/Escalations”.
About SQL Injection
A SQL injection attack consists in manipulating SQL queries via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. With this explanation in mind, we can move on to technical details.
When analyzing the requests, it was possible to notice that it was a blind-sqli (a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response) more specifically a time-based attack in which the application's response time is used. Below is a proof of concept.
About Stored Cross-Site Scripting
In the same field mentioned earlier it was possible to find another vulnerability called Cross-Site Scripting (XSS). Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
23/05/2022 - Notified vendor.
24/05/2022 - Vendor acknowledged disclosure.
04/08/2022 - New versions of software released with patches.
26/08/2022 - Blog post release