Has been found a security vulnerability in the Zabbix Server, allowing remote unauthenticated users to execute arbitrary SQL queries. This was tested on Zabbbix1.6.5 (latest) and Zabbbix 1.6.1 (as available in Ubuntu Jaunty).

A feature allows the "nodewatcher" component to send history data to the main node. Before sending any data, a call to get_history_lastid() is made in order to check if a synchronization is needed. This function will execute a "SELECT MAX(...) FROM ..." with user-controlled arguments. As no restriction is made server-side on the caller of this functionality, it is trivial to execute arbitrary SQL requests on any reachable Zabbix Server.

As a bonus for the attacker, result of the request is sent back. This is not a typical SQL injection, as quoting variables can't help.