monitor/index.php in op5 Monitor and op5 Appliance before 5.5.1 allows remote authenticated users to obtain sensitive information such as database and user credentials via error messages that are triggered by (1) a malformed hoststatustypes parameter to status/service/all or (2) a crafted request to config.
Op5 Monitor and Appliance versions prior to 5.5.1 are vulnerable to a critical information disclosure flaw, allowing remote authenticated users to extract sensitive credentials, including database and user credentials. This vulnerability can be exploited through crafted requests to the status/service/all endpoint or the config endpoint, leading to the leakage of sensitive information via error messages. Successful exploitation could lead to complete system compromise.
Step 1: Authentication: The attacker must first authenticate to the op5 Monitor or Appliance system. This is a prerequisite, but the level of access required is not specified, so it could be a low-privilege account.
Step 2: Crafted Request (Method 1): The attacker crafts a malicious request to the status/service/all endpoint, including a malformed hoststatustypes parameter. The malformed input is designed to trigger an error condition within the application.
Step 3: Crafted Request (Method 2): The attacker crafts a malicious request to the config endpoint. The crafted request is designed to trigger an error condition within the application.
Step 4: Error Message Generation: The application, due to the lack of proper input validation, generates an error message that includes sensitive information such as database credentials or other configuration details.
Step 5: Information Disclosure: The attacker receives the error message, which contains the sensitive information, allowing them to gain unauthorized access to the system or escalate their privileges.
The vulnerability stems from insufficient input validation and error handling within the monitor/index.php script. Specifically, the script fails to properly sanitize user-supplied input, particularly the hoststatustypes parameter in the status/service/all endpoint and requests made to the config endpoint. When malformed input is provided, the application generates detailed error messages that inadvertently reveal sensitive information, such as database usernames, passwords, and potentially other configuration details. This lack of proper input validation and secure error handling allows attackers to bypass authentication and gain unauthorized access to critical system resources. The root cause is a failure to implement robust input validation and secure error message handling, leading to information leakage.