zbx-sqli-v2.py
[ZBX-1031] Remote SQL injection in Zabbix Server. Created: 2009 Sep 10 Updated: 2017 May 30 Resolved: 2009 Nov 24 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Server (S) |
| Affects Version/s: | None |
| Fix Version/s: | 1.6.7, 1.9.0 (alpha) |
| Type: | Incident report | Priority: | Blocker |
| Reporter: | Igor Danoshaites (Inactive) | Assignee: | Unassigned |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
zbx-sqli-v2.py
|
| Description |
|
Has been found a security vulnerability in the Zabbix Server, allowing remote unauthenticated users to execute arbitrary SQL queries. This was tested on Zabbbix1.6.5 (latest) and Zabbbix 1.6.1 (as available in Ubuntu Jaunty). A feature allows the "nodewatcher" component to send history data to the main node. Before sending any data, a call to get_history_lastid() is made in order to check if a synchronization is needed. This function will execute a "SELECT MAX(...) FROM ..." with user-controlled arguments. As no restriction is made server-side on the caller of this functionality, it is trivial to execute arbitrary SQL requests on any reachable Zabbix Server. As a bonus for the attacker, result of the request is sent back. This is not a typical SQL injection, as quoting variables can't help. |
| Comments |
| Comment by Alexander Vladishev [ 2009 Sep 24 ] |
|
Fixed in branches 1.6 (pre1.6.7) and trunk, revision 7964. |
| Comment by Alexander Vladishev [ 2009 Nov 24 ] |
|
Thank you! |
| Comment by Igor Danoshaites (Inactive) [ 2009 Nov 24 ] |
|
I am closing this resolved issue, it should be fixed in the pre-1.6.8, revision 8368. |