+++ This bug was initially created as a clone of Bug #13878 +++ I am a vulnerability analyst at VulnCheck responsible for managing our coordinated vulnerability disclosure (CVD) process. A researcher reported this vulnerability affecting IPFire, and VulnCheck is acting as the intermediary and coordinator. We have tentatively reserved CVE-2025-34210, which have been shared with the researcher but will remain private until public disclosure: Please be aware that none of this information is public at this moment and all participants are considered under embargo. VulnCheck follows a 120-day disclosure policy, meaning we allow vendors/maintainers up to 120 days from the time of receiving the report to address the issues before publishing our advisory. For this vulnerability, that 120-day deadline falls on January 21, 2025. --- When viewing a specific range of OpenVPN connection logs, an HTTP POST request is sent to the Request-URI "/cgi-bin/logs.cgi/ovpnclients.dat". The following SQL query is built and executed: SELECT common_name, DATETIME(connected_at, 'localtime'), DATETIME(disconnected_at, 'localtime'), bytes_received, bytes_sent, STRFTIME('%s', DATETIME(disconnected_at)) - STRFTIME('%s', DATETIME(connected_at)) AS duration FROM sessions WHERE common_name = '<CONNECTION_NAME>' AND ( DATETIME(disconnected_at, 'localtime') > DATETIME('$from_datestring', 'start of day') AND DATETIME(connected_at, 'localtime') < DATETIME('$to_datestring', 'start of day', '+86399 seconds') ) ORDER BY connected_at; where the value of <CONNECTION_NAME> is the value of the HTTP parameter CONNECTION_NAME. This SQL query is built and executed without sanitizing the value of CONNECTION_NAME for SQL-related characters/strings. This can result in SQL injection which can be used for information disclosure. Our testing has found that remote code execution is not possible in default configurations. The attacker much be authenticated. --- The attachment contains additional technical details, the affected pathway, and proof of concept.
Created attachment 1665 [details] Reseacher Report
Patch set submitted https://lists.ipfire.org/development/20250925111252.11893-1-adolf.belka@ipfire.org/T/#t https://patchwork.ipfire.org/project/ipfire/list/?series=5215
Thank you very much everyone who has been working on this. The IPFire team has carefully reviewed this and the other reports and we have submitted a number of patches for you to review. They are all linked above. They have also already been merged to the development tree and therefore in line to be released with the next update: > https://git.ipfire.org/?p=ipfire-2.x.git;a=shortlog;h=refs/heads/next Please review the patches and confirm if they are fixing all problems that have been reported. We are very grateful for your time and effort that you have brought towards these findings and for your contribution to make IPFire an even more secure firewall. Please feel free to report any future findings and if you have anything else to share with us, please contact security@ipfire.org. I have made this bug report public again since patches are now available.
The CVE numbers in the individual reports have been mixed up with some other projects. Here is an updated list: #13876 - CVE-2025-34301 #13877 - CVE-2025-34302 #13878 - CVE-2025-34303 #13879 - CVE-2025-34304 #13880 - CVE-2025-34305 #13881 - CVE-2025-34306 #13882 - CVE-2025-34307 #13883 - CVE-2025-34308 #13884 - CVE-2025-34309 #13885 - CVE-2025-34310 #13886 - CVE-2025-34311 #13887 - CVE-2025-34312 #13888 - CVE-2025-34313 #13889 - CVE-2025-34314 #13890 - CVE-2025-34315 #13891 - CVE-2025-34316 #13892 - CVE-2025-34317 #13893 - CVE-2025-34318