[ZBX-23673] Reddit - Zabbix 6.4 SQL Injection vulnerability Created: 2023 Oct 28 Updated: 2024 Mar 12 Resolved: 2023 Nov 07 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Defect (Security) | Priority: | Minor |
| Reporter: | Tomáš Heřmánek | Assignee: | Maris Melnikovs (Inactive) |
| Resolution: | Won't fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Description |
|
Hi, today i found this issue on Reddit, i don't have time to do all necessary test, but it think need to be checked somebody from Zabbix only for sure. https://www.reddit.com/r/zabbix/comments/17hrvnh/zabbix_64_sql_injection_vulnerability/ Tom |
| Comments |
| Comment by Maris Melnikovs (Inactive) [ 2023 Oct 30 ] |
|
Hi tomas.hermanek! Thank you for this information we definitely will check it and let you know about our findings. Have a nice day! |
| Comment by Maris Melnikovs (Inactive) [ 2023 Oct 30 ] |
|
Information from reddit post – Just did a Nessus scan on my zabbix installation and got a HIGH 8.4 CGI Generic SQL injetion (blind) vulnerability. Anyone with advanced knowledge knows if this is a false positive or not?
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to blind SQL injection : + The 'autologin' parameter of the /zabbix/index.php CGI : /zabbix/index.php?password=&name=&autologin=1zz&name=&autologin=1yy -------- output -------- const PHP\_TZ\_OFFSETS = \[0\]; </script><script src="js/browsers.js?1690546607"></script></head> <body><div class="wrapper"><main><div class="server-name">Zabbix</div><d iv class="signin-container"><div class="signin-logo"><div class="zabbix- logo"></div></div><form method="post" action="index.php" accept-charset= "utf-8" aria-label="Sign in"><ul><li><label for="name">Username</l [...] -------- vs -------- const PHP\_TZ\_OFFSETS = \[0\]; </script><script src="js/browsers.js?1690546607"></script></head> <body><div class="wrapper"><main><div class="server-name">Zabbix</div><d iv class="signin-container"><div class="signin-logo"><div class="zabbix- logo"></div></div><form method="post" action="index.php" accept-charset= "utf-8" aria-label="Sign in"><ul><li><label for="name">Username</l [...] ------------------------ Description By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database. An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system. Note that this script is experimental and may be prone to false positives. Solution Modify the affected CGI scripts so that they properly escape arguments.
|
| Comment by Maris Melnikovs (Inactive) [ 2023 Nov 02 ] |
|
Hi tomas.hermanek! I ran SQL injection tests and all tested parameters do not appear to be injectable. I conclude this report as false positive.
If you have different opinion do not hesitate to share it with us. Thank you again for this report! |