Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-3840

Path Disclosure Vulnerability

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Fixed
    • Icon: Minor Minor
    • 1.8.6
    • None
    • Frontend (F)
    • None
    • All

      By changing the request parameter to something invalid an error message is produced disclosing the location/path of the zabbix install.

      This is an information leakage / path disclosure vulnerability....not a huge deal but should be fixed time permitting.

        1. zabbix_info_leak.png
          zabbix_info_leak.png
          77 kB

          [ZBX-3840] Path Disclosure Vulnerability

          Damian Tommasino added a comment -

          Forgot to add a sample request to cause the issue:

          GET http://192.168.1.73/zabbix/popup.php?dstfrm=Action&dstfld1=new_operation%5Bobjectid%5D&dstfld2=object_name&srctbl=usrgrp&srcfld1=usrgrpid&srcfld2=password&submit=1 HTTP/1.1

          The "password" value is passed to the srcfld2 parameter triggering the error.

          Damian Tommasino added a comment - Forgot to add a sample request to cause the issue: GET http://192.168.1.73/zabbix/popup.php?dstfrm=Action&dstfld1=new_operation%5Bobjectid%5D&dstfld2=object_name&srctbl=usrgrp&srcfld1=usrgrpid&srcfld2=password&submit=1 HTTP/1.1 The "password" value is passed to the srcfld2 parameter triggering the error.

          Damian Tommasino added a comment -

          The srctbl parameter isn't validated either. By changing this to any correct table name in the DB you can output contents of the table.

          Damian Tommasino added a comment - The srctbl parameter isn't validated either. By changing this to any correct table name in the DB you can output contents of the table.

          Alexey Fukalov added a comment -

          dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3840

          Alexey Fukalov added a comment - dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3840

          richlv added a comment -

          full path not visible in dev branch rev 20600.
          leaving issue as is for code review

          richlv added a comment - full path not visible in dev branch rev 20600. leaving issue as is for code review

          Aleksandrs Saveljevs added a comment -

          Damian, the issue regarding validating "srctbl" was moved to ZBX-3955. Thanks!

          Aleksandrs Saveljevs added a comment - Damian, the issue regarding validating "srctbl" was moved to ZBX-3955 . Thanks!

          Alexey Fukalov added a comment -

          svn://svn.zabbix.com/branches/1.8 20619

          Alexey Fukalov added a comment - svn://svn.zabbix.com/branches/1.8 20619

          Andy Goldschmidt added a comment -

          This is now listed on NIST website :
          http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3264

          Andy Goldschmidt added a comment - This is now listed on NIST website : http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3264

          Takanori Suzuki added a comment -

          Though Zabbix SIA might already stopped to maintain 1.6.x, because this is security issue I checked this issue in Zabbix-1.6.9.
          Zabbix-1.6-9 is also affected.
          So, I made a patch for Zabbix-1.6.9.

          https://gist.github.com/1332795

          Takanori Suzuki added a comment - Though Zabbix SIA might already stopped to maintain 1.6.x, because this is security issue I checked this issue in Zabbix-1.6.9. Zabbix-1.6-9 is also affected. So, I made a patch for Zabbix-1.6.9. https://gist.github.com/1332795

          Volker Fröhlich added a comment -

          Is Takanori's patch sufficient to settle the issue? EPEL 5 still has 1.4.7 and it doesn't seem to be solved there. Will this patch do?

          http://www.geofrogger.net/review/zabbix-1.4.7-cve-2011-3264.patch

          Sorry, I can't attach it here.

          https://bugzilla.redhat.com/show_bug.cgi?id=729162

          Volker Fröhlich added a comment - Is Takanori's patch sufficient to settle the issue? EPEL 5 still has 1.4.7 and it doesn't seem to be solved there. Will this patch do? http://www.geofrogger.net/review/zabbix-1.4.7-cve-2011-3264.patch Sorry, I can't attach it here. https://bugzilla.redhat.com/show_bug.cgi?id=729162

            Unassigned Unassigned
            infosec01 Damian Tommasino
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: