Details

    • Type: Incident report
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.6.7, 1.9.0 (alpha)
    • Component/s: Server (S)
    • Labels:
      None

      Description

      Has been found a security vulnerability in the Zabbix Server, allowing remote unauthenticated users to execute arbitrary SQL queries. This was tested on Zabbbix1.6.5 (latest) and Zabbbix 1.6.1 (as available in Ubuntu Jaunty).

      A feature allows the "nodewatcher" component to send history data to the main node. Before sending any data, a call to get_history_lastid() is made in order to check if a synchronization is needed. This function will execute a "SELECT MAX(...) FROM ..." with user-controlled arguments. As no restriction is made server-side on the caller of this functionality, it is trivial to execute arbitrary SQL requests on any reachable Zabbix Server.

      As a bonus for the attacker, result of the request is sent back. This is not a typical SQL injection, as quoting variables can't help.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              igor Igor Danoshaites (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: