Source: cve@mitre.org
monitor/index.php in op5 Monitor and op5 Appliance before 5.5.1 allows remote authenticated users to obtain sensitive information such as database and user credentials via error messages that are triggered by (1) a malformed hoststatustypes parameter to status/service/all or (2) a crafted request to config.
Op5 Monitor and Appliance versions prior to 5.5.1 are vulnerable to a critical information disclosure flaw. Authenticated attackers can leverage malformed requests to expose sensitive data, including database credentials and user credentials, potentially leading to complete system compromise and data breaches.
Step 1: Authentication: The attacker must first authenticate to the Op5 Monitor or Appliance instance. This is a prerequisite for exploiting the vulnerability.
Step 2: Malformed Request (Method 1): The attacker crafts a request to status/service/all with a malformed hoststatustypes parameter. This parameter is designed to filter the status of hosts. The attacker provides an invalid value, triggering an error.
Step 3: Malformed Request (Method 2): The attacker crafts a request to config with a crafted payload. This payload is designed to trigger an error.
Step 4: Error Trigger: The malformed input causes the application to generate an error message.
Step 5: Information Disclosure: The error message, due to inadequate error handling, contains sensitive information such as database credentials, user credentials, or configuration details. This information is then revealed to the attacker.
The vulnerability stems from insufficient input validation and error handling within the monitor/index.php script. Specifically, the script fails to properly sanitize user-supplied input in the hoststatustypes parameter of the status/service/all endpoint and when processing requests to config. This lack of validation allows attackers to craft malicious requests that trigger error messages containing sensitive information. The root cause is a failure to implement robust input validation and secure error handling, leading to the leakage of critical credentials and configuration details. This is a classic example of an information disclosure vulnerability.
While no specific APT groups are directly linked to this CVE, any threat actor with access to the Op5 Monitor or Appliance could exploit this vulnerability. The impact of this vulnerability could facilitate a wide range of attacks, including data theft, system compromise, and lateral movement. CISA KEV status: Not Listed
Monitor web server logs for suspicious requests to status/service/all with malformed hoststatustypes parameters.
Monitor web server logs for requests to config with suspicious payloads.
Analyze error logs for unexpected error messages that may contain sensitive information.
Implement file integrity monitoring to detect changes to critical configuration files.
Upgrade to Op5 Monitor or Appliance version 5.5.1 or later.
Implement robust input validation to sanitize all user-supplied input, especially for the hoststatustypes parameter and requests to config.
Implement secure error handling to prevent the disclosure of sensitive information in error messages. Consider logging errors securely without exposing sensitive details.
Review and harden the Op5 Monitor and Appliance configuration to minimize the attack surface.
Regularly audit the system for vulnerabilities and apply security patches promptly.