ZABBIX BUGS AND ISSUES

Path Disclosure Vulnerability

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.8.6
  • Component/s: Frontend (F)
  • Labels:
    None
  • Environment:
    All
  • Zabbix ID:
    NA

Description

By changing the request parameter to something invalid an error message is produced disclosing the location/path of the zabbix install.

This is an information leakage / path disclosure vulnerability....not a huge deal but should be fixed time permitting.

Issue Links

Activity

Hide
Damian Tommasino added a comment -

Forgot to add a sample request to cause the issue:

GET http://192.168.1.73/zabbix/popup.php?dstfrm=Action&dstfld1=new_operation%5Bobjectid%5D&dstfld2=object_name&srctbl=usrgrp&srcfld1=usrgrpid&srcfld2=password&submit=1 HTTP/1.1

The "password" value is passed to the srcfld2 parameter triggering the error.

Show
Damian Tommasino added a comment - Forgot to add a sample request to cause the issue: GET http://192.168.1.73/zabbix/popup.php?dstfrm=Action&dstfld1=new_operation%5Bobjectid%5D&dstfld2=object_name&srctbl=usrgrp&srcfld1=usrgrpid&srcfld2=password&submit=1 HTTP/1.1 The "password" value is passed to the srcfld2 parameter triggering the error.
Hide
Damian Tommasino added a comment -

The srctbl parameter isn't validated either. By changing this to any correct table name in the DB you can output contents of the table.

Show
Damian Tommasino added a comment - The srctbl parameter isn't validated either. By changing this to any correct table name in the DB you can output contents of the table.
Hide
Alexey Fukalov added a comment -

dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3840

Show
Alexey Fukalov added a comment - dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3840
Hide
richlv added a comment -

full path not visible in dev branch rev 20600.
leaving issue as is for code review

Show
richlv added a comment - full path not visible in dev branch rev 20600. leaving issue as is for code review
Hide
Aleksandrs Saveljevs added a comment -

Damian, the issue regarding validating "srctbl" was moved to ZBX-3955. Thanks!

Show
Aleksandrs Saveljevs added a comment - Damian, the issue regarding validating "srctbl" was moved to ZBX-3955. Thanks!
Hide
Alexey Fukalov added a comment -

svn://svn.zabbix.com/branches/1.8 20619

Show
Alexey Fukalov added a comment - svn://svn.zabbix.com/branches/1.8 20619
Hide
Andy Goldschmidt added a comment -
Show
Andy Goldschmidt added a comment - This is now listed on NIST website : http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3264
Hide
Takanori Suzuki added a comment -

Though Zabbix SIA might already stopped to maintain 1.6.x, because this is security issue I checked this issue in Zabbix-1.6.9.
Zabbix-1.6-9 is also affected.
So, I made a patch for Zabbix-1.6.9.

https://gist.github.com/1332795

Show
Takanori Suzuki added a comment - Though Zabbix SIA might already stopped to maintain 1.6.x, because this is security issue I checked this issue in Zabbix-1.6.9. Zabbix-1.6-9 is also affected. So, I made a patch for Zabbix-1.6.9. https://gist.github.com/1332795
Hide
Volker Fröhlich added a comment -

Is Takanori's patch sufficient to settle the issue? EPEL 5 still has 1.4.7 and it doesn't seem to be solved there. Will this patch do?

http://www.geofrogger.net/review/zabbix-1.4.7-cve-2011-3264.patch

Sorry, I can't attach it here.

https://bugzilla.redhat.com/show_bug.cgi?id=729162

Show
Volker Fröhlich added a comment - Is Takanori's patch sufficient to settle the issue? EPEL 5 still has 1.4.7 and it doesn't seem to be solved there. Will this patch do? http://www.geofrogger.net/review/zabbix-1.4.7-cve-2011-3264.patch Sorry, I can't attach it here. https://bugzilla.redhat.com/show_bug.cgi?id=729162

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: