Medium severity5.9NVD Advisory· Published Nov 9, 2017· Updated May 13, 2026
CVE-2017-16759
CVE-2017-16759
Description
The installation process in LibreNMS before 2017-08-18 allows remote attackers to read arbitrary files, related to html/install.php.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
librenms/librenmsPackagist | < 1.31 | 1.31 |
Affected products
1Patches
2d3094fa6578bsecurity: Security Patch to deal with reported vulnerabilties (#7164)
2 files changed · +5 −2
html/install.php+4 −2 modified@@ -2,7 +2,7 @@ session_start(); if (empty($_POST) && !empty($_SESSION) && !isset($_REQUEST['stage'])) { $_POST = $_SESSION; -} else { +} elseif (!file_exists("../config.php")) { $_SESSION = array_replace($_SESSION, $_POST); } @@ -52,7 +52,9 @@ // Check we can connect to MySQL DB, if not, back to stage 1 :) if ($stage > 1) { try { - dbConnect(); + if ($stage != 6) { + dbConnect(); + } if ($stage == 2 && $_SESSION['build-ok'] == true) { $stage = 3; $msg = "It appears that the database is already setup so have moved onto stage $stage";
includes/dbFacile.php+1 −0 modified@@ -58,6 +58,7 @@ function dbConnect($host = null, $user = '', $password = '', $database = '', $po $socket = empty($socket) ? $config['db_socket'] : $socket; $database_link = mysqli_connect('p:' . $host, $user, $password, null, $port, $socket); + mysqli_options($database_link, MYSQLI_OPT_LOCAL_INFILE, false); if ($database_link === false) { $error = mysqli_connect_error(); if ($error == 'No such file or directory') {
7887b2e1c715security: Security Patch to deal with reported vulnerabilties (#7164)
2 files changed · +5 −2
html/install.php+4 −2 modified@@ -2,7 +2,7 @@ session_start(); if (empty($_POST) && !empty($_SESSION) && !isset($_REQUEST['stage'])) { $_POST = $_SESSION; -} else { +} elseif (!file_exists("../config.php")) { $_SESSION = array_replace($_SESSION, $_POST); } @@ -52,7 +52,9 @@ // Check we can connect to MySQL DB, if not, back to stage 1 :) if ($stage > 1) { try { - dbConnect(); + if ($stage != 6) { + dbConnect(); + } if ($stage == 2 && $_SESSION['build-ok'] == true) { $stage = 3; $msg = "It appears that the database is already setup so have moved onto stage $stage";
includes/dbFacile.php+1 −0 modified@@ -58,6 +58,7 @@ function dbConnect($host = null, $user = '', $password = '', $database = '', $po $socket = empty($socket) ? $config['db_socket'] : $socket; $database_link = mysqli_connect('p:' . $host, $user, $password, null, $port, $socket); + mysqli_options($database_link, MYSQLI_OPT_LOCAL_INFILE, false); if ($database_link === false) { $error = mysqli_connect_error(); if ($error == 'No such file or directory') {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/librenms/librenms/commit/7887b2e1c7158204ac69ca43beafce66e4d3a3b4nvdPatchThird Party AdvisoryWEB
- github.com/librenms/librenms/commit/d3094fa6578b29dc34fb5a7d0bd6deab49ecc911nvdPatchThird Party AdvisoryWEB
- blog.librenms.org/2017/08/22/librenms-security-fix-during-the-installation-process/nvdThird Party Advisory
- github.com/advisories/GHSA-4ccx-wjqp-5fwwghsaADVISORY
- github.com/librenms/librenms/pull/7184nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-16759ghsaADVISORY
- blog.librenms.org/2017/08/22/librenms-security-fix-during-the-installation-processghsaWEB
News mentions
0No linked articles in our index yet.