CVE-2019-10664
published 2019-03-31CVE-2019-10664: Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.55%
93.8th percentile
Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| domoticz | domoticz | < 4.10578 | 4.10578 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to the Domoticz floorplan image endpoint with a manipulated `idx` parameter containing SQL metacharacters (quotes, UNION, SELECT, etc.), indicating SQL injection attempts against CWebServer::GetFloorplanImage in WebServer.cpp. ↗
- →Detect unauthenticated POST requests to the Domoticz settings/configuration endpoint containing `UVCParams` with shell command injection patterns (newlines, `#` comment terminators, shell commands). ↗
- →Alert on ZIP file uploads to Domoticz icon upload endpoint containing PNG files with non-image (shell script/command) content, particularly filenames matching `fakeicon*.png` or `icons.txt` with fake icon definitions. ↗
- →Monitor for the exploit's SQL injection data-theft pattern: unauthenticated GET requests to the floorplan image route with SQL injection payloads used to extract credential fields from the Domoticz database. ↗
- →Detect the exploit's credential-harvesting phase followed by login and SID cookie acquisition, then subsequent privileged API calls — a sequence of unauthenticated SQL injection followed by authenticated RCE is the full attack chain. ↗
- →Flag UVC camera API calls (add/list/live) immediately following a settings POST with injected UVCParams — this is the RCE trigger step in the exploit chain. ↗
- ·The exploit targets Domoticz versions strictly before 4.10578; version 4.10578 and later contain the upstream patch. Confirm the installed version before applying detection rules to avoid false positives on patched instances. ↗
- ·The exploit has two distinct RCE delivery modes (`-zipcmd` via icon ZIP upload, and `-direct` via HTTP server callback); detection rules should cover both the ZIP upload path and the external HTTP fetch path for the shell script payload. ↗
- ·The exploit restores default UVC parameters after execution to cover tracks; forensic detection should therefore focus on transient log entries and network connections rather than persistent configuration state. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Bugzilla
CVE-2019-10664 domoticz: idx parameter in CWebServer::GetFloorplanImage allows SQL Injection
bugzilla·2019-04-05·CVSS 9.8
CVE-2019-10664 [CRITICAL] CVE-2019-10664 domoticz: idx parameter in CWebServer::GetFloorplanImage allows SQL Injection
CVE-2019-10664 domoticz: idx parameter in CWebServer::GetFloorplanImage allows SQL Injection
Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.
Upstream patch:
https://github.com/domoticz/domoticz/commit/ee70db46f81afa582c96b887b73bcd2a86feda00
Discussion:
Created domoticz tracking bugs for this issue:
Affects: fedora-all [bug 1696681]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2019-10664 domoticz: idx parameter in CWebServer::GetFloorplanImage allows SQL Injection [fedora-all]
bugzilla·2019-04-05·CVSS 9.8
CVE-2019-10664 [CRITICAL] CVE-2019-10664 domoticz: idx parameter in CWebServer::GetFloorplanImage allows SQL Injection [fedora-all]
CVE-2019-10664 domoticz: idx parameter in CWebServer::GetFloorplanImage allows SQL Injection [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
http://packetstormsecurity.com/files/152678/Domoticz-4.10577-Unauthenticated-Remote-Command-Execution.htmlhttps://github.com/domoticz/domoticz/commit/ee70db46f81afa582c96b887b73bcd2a86feda00https://www.exploit-db.com/exploits/46773/http://packetstormsecurity.com/files/152678/Domoticz-4.10577-Unauthenticated-Remote-Command-Execution.htmlhttps://github.com/domoticz/domoticz/commit/ee70db46f81afa582c96b887b73bcd2a86feda00https://www.exploit-db.com/exploits/46773/
2019-03-31
Published