Has been found a security vulnerability in Zabbix Server, allowing remote unauthenticated users to execute OS commands. This was tested on Zabbbix 1.6.5 and Zabbbix 1.6.1 (as available in Ubuntu Jaunty).

A feature allows the PHP front-end to execute on the server some scripts configured in the database. The front-end asks the database for the details of a script (including the OS command to run) and then send to the server a request including the command. As no restriction is made server-side on the caller of this functionality, it is trivial to execute code on any reachable Zabbix Server.

When a connection is made to a listening server, the header is checked and the content of the data is compared to several keywords. If data begins with "Command", the node_process_command() function is called. This function checks that the "nodeid" value received in the packet is equal to the "NodeID" value defined in the config file. Then, execute_script() is called and a call to popen() with the user-supplied command is made. As a bonus for the attacker, result of the command is sent back.