CVE-2020-25133

Vulnerability

Observium Professional, Enterprise & Community versions 20.8.10631 and possibly earlier contain a directory traversal and local file inclusion vulnerability in the /ports/ page. The application does not sanitize the format parameter, allowing attackers to include arbitrary files that end with .inc.php extension from outside the web root by supplying a path with ../ traversal sequences. The vulnerable endpoint is pages/ports.inc.php, which processes the format parameter to load a file [1].

Exploitation

An attacker must first authenticate to Observium with a valid user account. After authentication, a crafted GET request to /ports/?format=../../../includes/polling/wmi (or similar traversal path) will include the file includes/polling/wmi.inc.php from outside the web root. The attacker can specify any valid file path on the server as long as the filename ends with .inc.php. No other special privileges or user interaction beyond login is required [1].

Impact

Successful exploitation allows an attacker to include arbitrary .inc.php files, which may contain malicious code or sensitive configuration. Due to the unrestricted inclusion, an attacker can further achieve remote code execution (RCE) by crafting or chaining with other files, leading to full compromise of the Observium server and the data it monitors. The CIA triad is severely affected: confidentiality via reading arbitrary .inc.php files, integrity via code execution, and availability via potential service disruption [1].

Mitigation

As of publication date (2020-09-25), no official patch or fixed version has been announced by Observium. Users should monitor the vendor for a security update. No workaround is available. Restricting access to the Observium web interface via network segmentation and applying the principle of least privilege to user accounts may reduce risk but does not eliminate the vulnerability [1].