Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.8.6
    • Component/s: Frontend (F)
    • Labels:
      None
    • Environment:
      All

      Description

      By changing the request parameter to something invalid an error message is produced disclosing the location/path of the zabbix install.

      This is an information leakage / path disclosure vulnerability....not a huge deal but should be fixed time permitting.

        Issue Links

          Activity

          Hide
          Damian Tommasino added a comment -

          Forgot to add a sample request to cause the issue:

          GET http://192.168.1.73/zabbix/popup.php?dstfrm=Action&dstfld1=new_operation%5Bobjectid%5D&dstfld2=object_name&srctbl=usrgrp&srcfld1=usrgrpid&srcfld2=password&submit=1 HTTP/1.1

          The "password" value is passed to the srcfld2 parameter triggering the error.

          Show
          Damian Tommasino added a comment - Forgot to add a sample request to cause the issue: GET http://192.168.1.73/zabbix/popup.php?dstfrm=Action&dstfld1=new_operation%5Bobjectid%5D&dstfld2=object_name&srctbl=usrgrp&srcfld1=usrgrpid&srcfld2=password&submit=1 HTTP/1.1 The "password" value is passed to the srcfld2 parameter triggering the error.
          Hide
          Damian Tommasino added a comment -

          The srctbl parameter isn't validated either. By changing this to any correct table name in the DB you can output contents of the table.

          Show
          Damian Tommasino added a comment - The srctbl parameter isn't validated either. By changing this to any correct table name in the DB you can output contents of the table.
          Hide
          Alexey Fukalov added a comment -

          dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3840

          Show
          Alexey Fukalov added a comment - dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3840
          Hide
          richlv added a comment -

          full path not visible in dev branch rev 20600.
          leaving issue as is for code review

          Show
          richlv added a comment - full path not visible in dev branch rev 20600. leaving issue as is for code review
          Hide
          Aleksandrs Saveljevs added a comment -

          Damian, the issue regarding validating "srctbl" was moved to ZBX-3955. Thanks!

          Show
          Aleksandrs Saveljevs added a comment - Damian, the issue regarding validating "srctbl" was moved to ZBX-3955 . Thanks!
          Hide
          Alexey Fukalov added a comment -

          svn://svn.zabbix.com/branches/1.8 20619

          Show
          Alexey Fukalov added a comment - svn://svn.zabbix.com/branches/1.8 20619
          Hide
          Andy Goldschmidt added a comment -
          Show
          Andy Goldschmidt added a comment - This is now listed on NIST website : http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3264
          Hide
          Takanori Suzuki added a comment -

          Though Zabbix SIA might already stopped to maintain 1.6.x, because this is security issue I checked this issue in Zabbix-1.6.9.
          Zabbix-1.6-9 is also affected.
          So, I made a patch for Zabbix-1.6.9.

          https://gist.github.com/1332795

          Show
          Takanori Suzuki added a comment - Though Zabbix SIA might already stopped to maintain 1.6.x, because this is security issue I checked this issue in Zabbix-1.6.9. Zabbix-1.6-9 is also affected. So, I made a patch for Zabbix-1.6.9. https://gist.github.com/1332795
          Hide
          Volker Fröhlich added a comment -

          Is Takanori's patch sufficient to settle the issue? EPEL 5 still has 1.4.7 and it doesn't seem to be solved there. Will this patch do?

          http://www.geofrogger.net/review/zabbix-1.4.7-cve-2011-3264.patch

          Sorry, I can't attach it here.

          https://bugzilla.redhat.com/show_bug.cgi?id=729162

          Show
          Volker Fröhlich added a comment - Is Takanori's patch sufficient to settle the issue? EPEL 5 still has 1.4.7 and it doesn't seem to be solved there. Will this patch do? http://www.geofrogger.net/review/zabbix-1.4.7-cve-2011-3264.patch Sorry, I can't attach it here. https://bugzilla.redhat.com/show_bug.cgi?id=729162

            People

            • Assignee:
              Alexey Fukalov
              Reporter:
              Damian Tommasino
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: