We need to be be compliant towards several security guidelines from our customers and one step towards that is to run Nessus scan and get rid of as many findings as we can. When we run Nessus on our nodes running Zabbix, there are two High/Major warnings which seem code related and hence should be considered as bugs. If there is a way to work around these through setup configuration, we could surely look at that as well.

There was ZBX-6652 raised for similar issues but these could have been re-introduced again in some build as our version is much higher than the fix version in that bug.

39469 - CGI Generic Remote File Inclusion
Using the POST HTTP method, Nessus found that :

+ The following resources may be vulnerable to web code injection :

+ The 'sid' parameter of the /zabbix/profile.php CGI :

/zabbix/profile.php [messages[sounds.4]=no_sound.wav&autologin=1&lang=uk
_UA&rows_per_page=50&messages[sounds.repeat]=-1&autologout=900&config=0&
save=Save&url=&messages[enabled]=1&refresh=30&messages[sounds.3]=no_soun
d.wav&autologout_visible=yes&messages[sounds.recovery]=no_sound.wav&mess
ages[triggers.severities][5]=1&cancel=Cancel&print=1&sid=http://K93_YDsR
.example.com/&messages[sounds.0]=no_sound.wav&messages[triggers.severiti
es][4]=1&messages[triggers.recovery]=1&messages[sounds.2]=no_sound.wav&m
essages[triggers.severities][3]=1&change_password=Change%20password&stop
=Stop&messages[sounds.1]=no_sound.wav&messages[sounds.5]=no_sound.wav&me
ssages[triggers.severities][2]=1&messages[triggers.severities][1]=1&star
t=Play&messages[triggers.severities][0]=1&form_refresh=1&theme=darkorang
e&messages[timeout]=60]

-------- output --------
<body class="originalblue">
<div id="message-global-wrap"><div id="message-global"></div></div>
[...] include/page_header.php:453]</li></ul></td></tr></table><table class="msgerr" cellpadding="0" cellspacing="0"><tr class=""><td class="clr"><div class="blacklink" onclick="javascript: showHide("msg_messages", IE ? "block" : "table");" title="Maximize/Minimize">Details</div></td><td class="msg_main msg" id="page_msg"><strong class="">ERROR: Zabbix has received an incorrect request.</strong></td></tr></table><table class="msgerr" cellpadding="0" cellspacing="0" id="msg_messages" style="width: 100%;"><tr class=""><td class="msg" colspan="1"><ul class="messages"><li class="error">Undefined index: alias [profile.php:36]</li><li class="info">Critical error. Incorrect value "http://K93_YDsR.example.com/&quot; for "sid" field.</li><li class="info">Operation cannot be performed due to unauthorized request.</li></ul></td></tr></table><table class="msgerr" cellpadding="0" cellspacing="0" id="msg_messages" style="width: 100%;"><tr class=""><td class="msg" colspan="1"><ul class="messages" style="height: 96px;"><li class="error">Undefined index: alias [includ [...]
LINE 1: ...leid, userid, idx, value_str, type, idx2) VALUES (, 2, [...]
^ [include/db.inc.php:511]</li><li class="error">Error in query [I [...]
------------------------

43160 (1) - CGI Generic SQL Injection (blind, time based)

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection (time based) :

+ The 'showGuiMessaging' parameter of the /zabbix/jsLoader.php CGI :

/zabbix/jsLoader.php?ver=2.0.9&lang=en_gb&showGuiMessaging=0'));WAITFOR%
20DELAY%20'00:00:21';--

-------- output --------
if (typeof(locale) == "undefined") { var locale = {}; }
locale['S_MAX_COOKIE_SIZE_REACHED'] = 'We are sorry, the maximum p [...]

• (c) 2005-2009 Sam Stephenson
  *
• Prototype is freely distributable under the terms of an MIT-sty [...]
• For details, see the Prototype web site: http://www.prototypejs.org/
  *
  • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • [...]