-------------------------
Vulnerability description
-------------------------

Zabbix frontend and API are vulnerable to SQL injection attacks. The vulnerabilities allow an attacker to gain access to the database and execute arbitrary SQL statements.

Please use CVE-2013-5743 to refer to this vulnerability.

-------
Details
-------

(1) The following API methods and parameters have have been reported to be vulnerable:

alert.get: time_from, time_till;
event.get: object, source, eventid_from, eventid_till;
graphitem.get: parameter: type;
graph.get: parameter: type;
graphprototype.get: parameter: type;
history.get: parameter: time_from, time_till;
trigger.get: parameter: lastChangeSince, lastChangeTill, min_severity;
triggerprototype.get: parameter: min_severity;
usergroup.get: parameter: status.
This issue has been reported by Bernhard Schildendorfer from SEC Consult.

(2) Code responsible for adding objects such as graphs or maps to favorites is also vulnerable to this type of attacks. This can be exploited on the "Dashboard", "Graphs", "Maps", "Latest data" and "Screens" pages in the "Monitoring" section.

This issue has been reported by Lincoln, a member of Corelan Team.

-----------------
Affected versions
-----------------

All of the Zabbix versions are in some way vulnerable to this type of attacks.

--------------
Fixed versions
--------------

These vulnerabilities have been fixed in the latest releases of Zabbix. Additionally, an internal security audit was performed and similar vulnerabilities have been fixed in other areas.

The fix is available in the following Zabbix releases
2.0.9
1.8.18

Additionally, patches are available for the following Zabbix versions:
2.0.8
1.8.17
1.8.2