ZABBIX BUGS AND ISSUES

Remote SQL injection in Zabbix Server.

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.6.7, 1.9.0 (alpha)
  • Component/s: Server (S)
  • Labels:
    None
  • Zabbix ID:
    050

Description

Has been found a security vulnerability in the Zabbix Server, allowing remote unauthenticated users to execute arbitrary SQL queries. This was tested on Zabbbix1.6.5 (latest) and Zabbbix 1.6.1 (as available in Ubuntu Jaunty).

A feature allows the "nodewatcher" component to send history data to the main node. Before sending any data, a call to get_history_lastid() is made in order to check if a synchronization is needed. This function will execute a "SELECT MAX(...) FROM ..." with user-controlled arguments. As no restriction is made server-side on the caller of this functionality, it is trivial to execute arbitrary SQL requests on any reachable Zabbix Server.

As a bonus for the attacker, result of the request is sent back. This is not a typical SQL injection, as quoting variables can't help.

Activity

Hide
Alexander Vladishev added a comment -

Fixed in branches 1.6 (pre1.6.7) and trunk, revision 7964.

Show
Alexander Vladishev added a comment - Fixed in branches 1.6 (pre1.6.7) and trunk, revision 7964.
Hide
Alexander Vladishev added a comment -

Thank you!
Problem fixed in version pre1.6.8, revision 8368.

Show
Alexander Vladishev added a comment - Thank you! Problem fixed in version pre1.6.8, revision 8368.
Hide
Igor Danoshaites added a comment -

I am closing this resolved issue, it should be fixed in the pre-1.6.8, revision 8368.

Show
Igor Danoshaites added a comment - I am closing this resolved issue, it should be fixed in the pre-1.6.8, revision 8368.

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: