[ZBX-1031] Remote SQL injection in Zabbix Server. Created: 2009 Sep 10 Updated: 2017 May 30 Resolved: 2009 Nov 24 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Server (S) |
Affects Version/s: | None |
Fix Version/s: | 1.6.7, 1.9.0 (alpha) |
Type: | Incident report | Priority: | Blocker |
Reporter: | Igor Danoshaites (Inactive) | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Attachments: | zbx-sqli-v2.py |
Description |
Has been found a security vulnerability in the Zabbix Server, allowing remote unauthenticated users to execute arbitrary SQL queries. This was tested on Zabbbix1.6.5 (latest) and Zabbbix 1.6.1 (as available in Ubuntu Jaunty). A feature allows the "nodewatcher" component to send history data to the main node. Before sending any data, a call to get_history_lastid() is made in order to check if a synchronization is needed. This function will execute a "SELECT MAX(...) FROM ..." with user-controlled arguments. As no restriction is made server-side on the caller of this functionality, it is trivial to execute arbitrary SQL requests on any reachable Zabbix Server. As a bonus for the attacker, result of the request is sent back. This is not a typical SQL injection, as quoting variables can't help. |
Comments |
Comment by Alexander Vladishev [ 2009 Sep 24 ] |
Fixed in branches 1.6 (pre1.6.7) and trunk, revision 7964. |
Comment by Alexander Vladishev [ 2009 Nov 24 ] |
Thank you! |
Comment by Igor Danoshaites (Inactive) [ 2009 Nov 24 ] |
I am closing this resolved issue, it should be fixed in the pre-1.6.8, revision 8368. |