Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-13781

CRLF Injection in Zabbix Agentd

XMLWordPrintable

    • Sprint 31, Sprint 32
    • 0.5

      The problem happen in the item "web.page.get[]", which used to "get content of the http web page".
      The function handles this item is "get_http_page()" in /libs/zbxsysinfo/common/http.c.
      When building the request for http connection, no secure check was made for the parameter in line 41: (see image below).
      Attacker can add CRLF character to the "path" parameter and freely control the request! (see image below
      It can be abused, and used to make tcp request to any local port of the server using zabbix agentd.
      For example: Some server using redis, memcached, ... attacker can connect to this port and control it to write file, code execution ...
      I don't know this is intent or not but I think it should not be there!

        1. z2.PNG
          z2.PNG
          16 kB
        2. z3.PNG
          z3.PNG
          39 kB

            MVekslers Michael Veksler
            testanull Nguyen Tien Giang
            Team C
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: