Attacker Impact
An attacker who can influence the database configuration can achieve full Remote Code Execution (RCE) on the server hosting openDCIM [S1]. This allows for complete system compromise, including the ability to read sensitive data, modify files, and pivot to other systems on the network [S1].
Root Cause
The vulnerability is located in report_network_map.php [S1]. The application retrieves a configuration parameter named dot from the database and passes it directly to the PHP exec() function [S1]. Because there is no validation or sanitization of this parameter before it reaches the shell execution sink, it is susceptible to OS Command Injection (CWE-78) [S1]. This affects openDCIM version 23.04 through commit 4467e9c4 [S1].
Concrete Fixes
- Sanitize Input: Use
escapeshellarg()on any variable that must be passed to a shell command to ensure it is treated as a single argument and cannot break out of the command context [S1]. - Validate Configuration: Implement strict validation or an allowlist for the
dotparameter to ensure it only contains the expected path to the Graphviz 'dot' executable [S1]. - Update openDCIM: Apply the latest patches or move to a version beyond commit 4467e9c4 where this vulnerability is addressed [S1].
How FixVibe could detect it
FixVibe could detect this issue through its GitHub repository scanning module. By performing static analysis on the PHP source code, FixVibe can trace the flow of data from database configuration lookups to dangerous execution sinks like exec() [S1]. Specifically, a scan would flag the use of the dot variable in report_network_map.php if it lacks preceding sanitization calls. Additionally, FixVibe's gated active probes could be configured to identify openDCIM installations and check for the presence of the vulnerable endpoint.