[ZBX-11023] SQL injection vulnerabilities in "Latest data" Created: 2016 Jul 22 Updated: 2019 Mar 28 Resolved: 2016 Jul 22 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | None |
| Affects Version/s: | 2.2.13, 3.0.3 |
| Fix Version/s: | 2.2.14rc1, 3.0.4rc1, 3.2.0alpha1 |
| Type: | Problem report | Priority: | Blocker |
| Reporter: | Alexander Vladishev | Assignee: | Unassigned |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | vulnerability | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Description |
|
Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page. For example: Result SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 15385); select * from users where (1=1) latest.php:746 ? require_once() ? CProfile::flush() ? CProfile::insertDB() ? DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:185 |
| Comments |
| Comment by Alexander Vladishev [ 2016 Jul 22 ] |
|
3.0 and trunk was fixed in development branch svn://svn.zabbix.com/branches/dev/DEV-551-30 |
| Comment by Alexander Vladishev [ 2016 Jul 22 ] |
|
(1) No translation strings changed iivs CLOSED |
| Comment by Ivo Kurzemnieks [ 2016 Jul 22 ] |
|
(2) Minor coding style fix for 3.0 in r61169 sasha Thanks! CLOSED |
| Comment by Alexander Vladishev [ 2016 Jul 22 ] |
|
Fixed in 2.2.14 r61173, 3.0.4 r61174 and pre-3.1.0 (trunk) r61175. |
| Comment by richlv [ 2016 Sep 07 ] |
|
could it be that jsrpc.php was affected, too ? if so, the changelog entry should probably be changed to either include all affected endpoints, or at least not exclusively mention latest data |