Weird behavior in LibreNMS whois demo


Yesterday I wanted to test LibreNMS demo and saw there was a whois feature so I tried different things:


Everything went well until I tested this one:

  • com

And got some errors back:

The base64 encoded thing appears to be an image of a tiny blue shield… I did a reverse a reverse code search on the base64 string and found it to be related to toastr js notifications, which is consistent with the js libraries loaded in the page.

Any idea on what might be causing this? Why so many replies?

According to the codebase:

$cmd = $config['whois']." $host | grep -v \%";

That means com passes the 3 filters.

I would be glad to understand better this feature and wonder if thous could be exploitable in any way.
Thank you!

A. the RIPE whois doesn’t use netcmd.php, it just talks to the RIPE api
B. I think com is an alias for a network.