Bug report: possibel injection

Tags: #<Tag:0x00007f063f500c98>

So I guess I ran into an injection problem:

I added hosts per bash script and API call to LibreNMS. By mistake I added a host named $OUTPUT, which the API confirmed:

    "status": "ok",
    "message": "Device $OUTPUT (772) has been added successfully"

As I tried to delete the device named $OUTPUT through the web interface, the log in the web interface told me, that it deleted all rrd files of all the devices. Uh, nice one. Unfortunately I didn’t make a screen shot as I was too busy having a mild heart attack.

After recovering from that heart attack I checked the rrd directories and found the rrd files still beeing there and still being updated. In the web interface no graphs are showing up, so I guess the references to the rrd files are deleted in the database.

A quick du -a /opt/librenms/rrd/ | grep '\.rrd' | wc -l shows 6134 rrd files, which shuold work, as the stats of the system are as follows:

Devices 762 Ports 735
IPv4 Addresses 104 IPv4 Networks 21
IPv6 Addresses 0 IPv6 Networks 0
Services 0 Applications 0
Processors 22 Memory 45
Storage 9 Disk I/O 13
HR-MIB 15 Entity-MIB 877
Syslog Entries 0 Eventlog Entries 140933
Sensors 1532 Wireless Sensors 0
Toner 0

Roundabout 700 are ping-only hosts, the rest are PSUs and a few big network devices. This is only my test system, so setting it up a-new is already counted in. But could the inserting-$OUTPUT-deleting-$OUTPUT be dangerous?

Oh, yes, my validate.php. (The discovery-fail is due to me adding 7000 hosts as a bulk just a few minutes before the $OUTPUT incident. The rest isn’t connected to the deletion incident IMHO.)

Component | Version
--------- | -------
LibreNMS  | 1.58.1
DB Schema | 2019_08_10_223200_add_enabled_to_users (147)
PHP       | 7.2.5
MySQL     | 10.2.25-MariaDB
RRDTool   | 1.7.0
SNMP      | NET-SNMP 5.7.3

[OK]    Composer Version: 1.9.1
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database schema correct
[FAIL]  Discovery has not completed in the last 24 hours.
	Check the cron job to make sure it is running and using discovery-wrapper.py
[FAIL]  fping6 location is incorrect or bin not installed.
	Install fping6 or manually set the path to fping6 by placing the following in config.php: $config['fping6'] = '/path/to/fping6';
[WARN]  Your local git contains modified files, this could prevent automatic updates.
	You can fix this with ./scripts/github-remove
	Modified Files:

Update: checking the web interface after writing the first post showed, that the graphs are beeing drawn new - what looks like into new rrd files. I’m off for now, but will check this finding later.

Now I don’t want to muddy the water with what may be pure red herring coincidence, but I had the exact same experience earlier today, with all my RRD graphs disappearing, but then carrying on writing anew - around the time I was doing some work, using snmp-scan.py to add some new management subnets, then used the gui to remove a switch, and then re-add it, as it had added by its IP, not resolved to its hostname.

I was really lucky that I have a secondary identical librenms setup I was able to rsync across all the old rrd files from - so after not being able to see anything obviously wrong, and no errors in librenms.log I just went ahead and pulled them over.

I’m not sure if there is any connection here at all, but after having more than 3 months of very stable monitoring, this has been a bit of a puzzler

Edit - My memory kicked in with more detail of what I was doing at the time