ZABBIX BUGS AND ISSUES

SQL injection vulnerabilities in the API and frontend

Details

  • Zabbix ID:
    NA

Description

-------------------------
Vulnerability description
-------------------------

Zabbix frontend and API are vulnerable to SQL injection attacks. The vulnerabilities allow an attacker to gain access to the database and execute arbitrary SQL statements.

Please use CVE-2013-5743 to refer to this vulnerability.

-------
Details
-------

(1) The following API methods and parameters have have been reported to be vulnerable:

alert.get: time_from, time_till;
event.get: object, source, eventid_from, eventid_till;
graphitem.get: parameter: type;
graph.get: parameter: type;
graphprototype.get: parameter: type;
history.get: parameter: time_from, time_till;
trigger.get: parameter: lastChangeSince, lastChangeTill, min_severity;
triggerprototype.get: parameter: min_severity;
usergroup.get: parameter: status.
This issue has been reported by Bernhard Schildendorfer from SEC Consult.

(2) Code responsible for adding objects such as graphs or maps to favorites is also vulnerable to this type of attacks. This can be exploited on the "Dashboard", "Graphs", "Maps", "Latest data" and "Screens" pages in the "Monitoring" section.

This issue has been reported by Lincoln, a member of Corelan Team.

-----------------
Affected versions
-----------------

All of the Zabbix versions are in some way vulnerable to this type of attacks.

--------------
Fixed versions
--------------

These vulnerabilities have been fixed in the latest releases of Zabbix. Additionally, an internal security audit was performed and similar vulnerabilities have been fixed in other areas.

The fix is available in the following Zabbix releases
2.0.9
1.8.18

Additionally, patches are available for the following Zabbix versions:
2.0.8
1.8.17
1.8.2
  1. ZBX-7091-1.8.18rc1.patch
    2013 Oct 02 09:39
    156 kB
    Pavels Jelisejevs
  2. ZBX-7091-1.8.2.patch
    2013 Oct 02 09:39
    234 kB
    Pavels Jelisejevs
  3. ZBX-7091-2.0.8.patch
    2013 Oct 02 09:39
    81 kB
    Pavels Jelisejevs
  4. ZBX-7091-2.0.9rc1.patch
    2013 Oct 02 09:39
    81 kB
    Pavels Jelisejevs
  5. ZBX-7091-2.1.7.patch
    2013 Oct 02 09:39
    96 kB
    Pavels Jelisejevs

Activity

Hide
Pavels Jelisejevs added a comment -

Fixed in 1.8.18rc1 r38907, 2.0.9rc1 r38908 and trunk r38909.

CLOSED.

Show
Pavels Jelisejevs added a comment - Fixed in 1.8.18rc1 r38907, 2.0.9rc1 r38908 and trunk r38909. CLOSED.
Hide
Volker Fröhlich added a comment -

Fixed in EL6: https://admin.fedoraproject.org/updates/zabbix20-2.0.8-3.el6

Fedora, EL5 and zabbix in EL6 are to be done.

Show
Volker Fröhlich added a comment - Fixed in EL6: https://admin.fedoraproject.org/updates/zabbix20-2.0.8-3.el6 Fedora, EL5 and zabbix in EL6 are to be done.
Hide
Volker Fröhlich added a comment -

And 2.0.8-3 from F18 to Rawhide. Thus EPEL and Fedora are done.

Show
Volker Fröhlich added a comment - And 2.0.8-3 from F18 to Rawhide. Thus EPEL and Fedora are done.
Hide
Pavels Jelisejevs added a comment -

Great! Thanks for the prompt fix.

Show
Pavels Jelisejevs added a comment - Great! Thanks for the prompt fix.
Hide
Takanori Suzuki added a comment -

Hi, I found a problem in this ZBX-7091 fixing code for 1.8.x, commit r38907.
In zabbix-1.8.x revision r39228 with PostgreSQL, profiles table data includes non-needed ''.
It's done by "updateDB()" in "CProfile" class in "profiles.inc.php".
"updateDB()" is using "zbx_dbstr()" twice for "$value", if the value type is "value_str" and it adds non-needed ''.
Because of this, profiles data, like default filtering setting or default page after login, become wrong one.

And "insertDB()" in "CProfile" class is not doing same escaping.

I made a patch for these things.
Could you check it?
https://gist.github.com/BlueSkyDetector/7018855

Show
Takanori Suzuki added a comment - Hi, I found a problem in this ZBX-7091 fixing code for 1.8.x, commit r38907. In zabbix-1.8.x revision r39228 with PostgreSQL, profiles table data includes non-needed ''. It's done by "updateDB()" in "CProfile" class in "profiles.inc.php". "updateDB()" is using "zbx_dbstr()" twice for "$value", if the value type is "value_str" and it adds non-needed ''. Because of this, profiles data, like default filtering setting or default page after login, become wrong one. And "insertDB()" in "CProfile" class is not doing same escaping. I made a patch for these things. Could you check it? https://gist.github.com/BlueSkyDetector/7018855
Hide
richlv added a comment -

takanori, could this be the same as ZBX-7156 ?

Show
richlv added a comment - takanori, could this be the same as ZBX-7156 ?
Hide
Takanori Suzuki added a comment -

Hi richlv, thx.
It's exactly same issue as ZBX-7156.
I found the fixed patch is also same.

Show
Takanori Suzuki added a comment - Hi richlv, thx. It's exactly same issue as ZBX-7156. I found the fixed patch is also same.

People

Vote (0)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved: