ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-7091

SQL injection vulnerabilities in the API and frontend

    Details

      Description

      -------------------------
      Vulnerability description
      -------------------------

      Zabbix frontend and API are vulnerable to SQL injection attacks. The vulnerabilities allow an attacker to gain access to the database and execute arbitrary SQL statements.

      Please use CVE-2013-5743 to refer to this vulnerability.

      -------
      Details
      -------

      (1) The following API methods and parameters have have been reported to be vulnerable:

      alert.get: time_from, time_till;
      event.get: object, source, eventid_from, eventid_till;
      graphitem.get: parameter: type;
      graph.get: parameter: type;
      graphprototype.get: parameter: type;
      history.get: parameter: time_from, time_till;
      trigger.get: parameter: lastChangeSince, lastChangeTill, min_severity;
      triggerprototype.get: parameter: min_severity;
      usergroup.get: parameter: status.
      This issue has been reported by Bernhard Schildendorfer from SEC Consult.

      (2) Code responsible for adding objects such as graphs or maps to favorites is also vulnerable to this type of attacks. This can be exploited on the "Dashboard", "Graphs", "Maps", "Latest data" and "Screens" pages in the "Monitoring" section.

      This issue has been reported by Lincoln, a member of Corelan Team.

      -----------------
      Affected versions
      -----------------

      All of the Zabbix versions are in some way vulnerable to this type of attacks.

      --------------
      Fixed versions
      --------------

      These vulnerabilities have been fixed in the latest releases of Zabbix. Additionally, an internal security audit was performed and similar vulnerabilities have been fixed in other areas.

      The fix is available in the following Zabbix releases
      2.0.9
      1.8.18

      Additionally, patches are available for the following Zabbix versions:
      2.0.8
      1.8.17
      1.8.2

      1. ZBX-7091-1.8.18rc1.patch
        156 kB
        Pavels Jelisejevs
      2. ZBX-7091-1.8.2.patch
        234 kB
        Pavels Jelisejevs
      3. ZBX-7091-2.0.8.patch
        81 kB
        Pavels Jelisejevs
      4. ZBX-7091-2.0.9rc1.patch
        81 kB
        Pavels Jelisejevs
      5. ZBX-7091-2.1.7.patch
        96 kB
        Pavels Jelisejevs

        Activity

        Hide
        Pavels Jelisejevs added a comment -

        Fixed in 1.8.18rc1 r38907, 2.0.9rc1 r38908 and trunk r38909.

        CLOSED.

        Show
        Pavels Jelisejevs added a comment - Fixed in 1.8.18rc1 r38907, 2.0.9rc1 r38908 and trunk r38909. CLOSED.
        Hide
        Volker Fröhlich added a comment -

        Fixed in EL6: https://admin.fedoraproject.org/updates/zabbix20-2.0.8-3.el6

        Fedora, EL5 and zabbix in EL6 are to be done.

        Show
        Volker Fröhlich added a comment - Fixed in EL6: https://admin.fedoraproject.org/updates/zabbix20-2.0.8-3.el6 Fedora, EL5 and zabbix in EL6 are to be done.
        Show
        Volker Fröhlich added a comment - https://admin.fedoraproject.org/updates/zabbix-1.8.17-3.el6 https://admin.fedoraproject.org/updates/zabbix20-2.0.8-3.el5
        Hide
        Volker Fröhlich added a comment -

        And 2.0.8-3 from F18 to Rawhide. Thus EPEL and Fedora are done.

        Show
        Volker Fröhlich added a comment - And 2.0.8-3 from F18 to Rawhide. Thus EPEL and Fedora are done.
        Hide
        Pavels Jelisejevs added a comment -

        Great! Thanks for the prompt fix.

        Show
        Pavels Jelisejevs added a comment - Great! Thanks for the prompt fix.
        Hide
        Takanori Suzuki added a comment -

        Hi, I found a problem in this ZBX-7091 fixing code for 1.8.x, commit r38907.
        In zabbix-1.8.x revision r39228 with PostgreSQL, profiles table data includes non-needed ''.
        It's done by "updateDB()" in "CProfile" class in "profiles.inc.php".
        "updateDB()" is using "zbx_dbstr()" twice for "$value", if the value type is "value_str" and it adds non-needed ''.
        Because of this, profiles data, like default filtering setting or default page after login, become wrong one.

        And "insertDB()" in "CProfile" class is not doing same escaping.

        I made a patch for these things.
        Could you check it?
        https://gist.github.com/BlueSkyDetector/7018855

        Show
        Takanori Suzuki added a comment - Hi, I found a problem in this ZBX-7091 fixing code for 1.8.x, commit r38907. In zabbix-1.8.x revision r39228 with PostgreSQL, profiles table data includes non-needed ''. It's done by "updateDB()" in "CProfile" class in "profiles.inc.php". "updateDB()" is using "zbx_dbstr()" twice for "$value", if the value type is "value_str" and it adds non-needed ''. Because of this, profiles data, like default filtering setting or default page after login, become wrong one. And "insertDB()" in "CProfile" class is not doing same escaping. I made a patch for these things. Could you check it? https://gist.github.com/BlueSkyDetector/7018855
        Hide
        richlv added a comment -

        takanori, could this be the same as ZBX-7156 ?

        Show
        richlv added a comment - takanori, could this be the same as ZBX-7156 ?
        Hide
        Takanori Suzuki added a comment -

        Hi richlv, thx.
        It's exactly same issue as ZBX-7156.
        I found the fixed patch is also same.

        Show
        Takanori Suzuki added a comment - Hi richlv, thx. It's exactly same issue as ZBX-7156 . I found the fixed patch is also same.

          People

          • Assignee:
            Unassigned
            Reporter:
            Pavels Jelisejevs
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: