CVE-2020-25136

Vulnerability

CVE-2020-25136 affects Observium Professional, Enterprise & Community version 20.8.10631. The issue resides in device/routing.inc.php, where the proto parameter in URLs such as /device/device=345/?tab=routing&proto=... is not sanitized. This allows directory traversal and local file inclusion of any file with an .inc.php extension, even outside the web root directory. Affected versions include all editions of 20.8.10631 [1].

Exploitation

An attacker must be authenticated to Observium. The exploit involves crafting a request to /device/device=345/?tab=routing&proto=../..// where the proto parameter contains directory traversal sequences (../) to point to an arbitrary .inc.php file. The example provided in the reference uses ../../../../includes/polling/wmi to include a file outside the web root. The attacker can then execute code within the included file if it contains PHP code (such as wmi.inc.php), leading to remote code execution [1].

Impact

Successful exploitation enables an authenticated attacker to include arbitrary .inc.php files from the server. Since these files can contain PHP code, this can lead to remote code execution (RCE) with the privileges of the web server. The attacker can potentially gain full control over the Observium instance, access sensitive data, or pivot to other systems. The CIA triad is fully compromised [1].

Mitigation

As of the publication date (2020-09-25), no official patch has been released for version 20.8.10631. Users should upgrade to a later version of Observium that addresses this issue. If no patch is available, restrict access to the affected URL paths via web server rules (e.g., blocking requests containing ../ in the proto parameter) and ensure proper input validation. The vulnerability is not listed on the CISA KEV list [1].