Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.6.7, 1.9.0 (alpha)
    • Component/s: Server (S)
    • Labels:
      None

      Description

      Has been found a security vulnerability in the Zabbix Server, allowing remote unauthenticated users to execute arbitrary SQL queries. This was tested on Zabbbix1.6.5 (latest) and Zabbbix 1.6.1 (as available in Ubuntu Jaunty).

      A feature allows the "nodewatcher" component to send history data to the main node. Before sending any data, a call to get_history_lastid() is made in order to check if a synchronization is needed. This function will execute a "SELECT MAX(...) FROM ..." with user-controlled arguments. As no restriction is made server-side on the caller of this functionality, it is trivial to execute arbitrary SQL requests on any reachable Zabbix Server.

      As a bonus for the attacker, result of the request is sent back. This is not a typical SQL injection, as quoting variables can't help.

      1. zbx-sqli-v2.py
        0.8 kB
        Igor Danoshaites

        Activity

        Hide
        Alexander Vladishev added a comment -

        Fixed in branches 1.6 (pre1.6.7) and trunk, revision 7964.

        Show
        Alexander Vladishev added a comment - Fixed in branches 1.6 (pre1.6.7) and trunk, revision 7964.
        Hide
        Alexander Vladishev added a comment -

        Thank you!
        Problem fixed in version pre1.6.8, revision 8368.

        Show
        Alexander Vladishev added a comment - Thank you! Problem fixed in version pre1.6.8, revision 8368.
        Hide
        Igor Danoshaites added a comment -

        I am closing this resolved issue, it should be fixed in the pre-1.6.8, revision 8368.

        Show
        Igor Danoshaites added a comment - I am closing this resolved issue, it should be fixed in the pre-1.6.8, revision 8368.

          People

          • Assignee:
            Igor Danoshaites
            Reporter:
            Igor Danoshaites
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: