[ZBX-3840] Path Disclosure Vulnerability Created: 2011 May 25  Updated: 2017 May 30  Resolved: 2011 Jul 18

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: None
Fix Version/s: 1.8.6

Type: Incident report Priority: Minor
Reporter: Damian Tommasino Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

All

Attachments: PNG File zabbix_info_leak.png    
Issue Links:
Duplicate
is duplicated by ZBX-4668 Path disclosure vulnerability when us... Closed

 Description   

By changing the request parameter to something invalid an error message is produced disclosing the location/path of the zabbix install.

This is an information leakage / path disclosure vulnerability....not a huge deal but should be fixed time permitting.

 Comments   
Comment by Damian Tommasino [ 2011 May 25 ]

Forgot to add a sample request to cause the issue:

GET http://192.168.1.73/zabbix/popup.php?dstfrm=Action&dstfld1=new_operation%5Bobjectid%5D&dstfld2=object_name&srctbl=usrgrp&srcfld1=usrgrpid&srcfld2=password&submit=1 HTTP/1.1

The "password" value is passed to the srcfld2 parameter triggering the error.

Comment by Damian Tommasino [ 2011 May 25 ]

The srctbl parameter isn't validated either. By changing this to any correct table name in the DB you can output contents of the table.

Comment by Alexey Fukalov [ 2011 Jul 14 ]

dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3840

Comment by richlv [ 2011 Jul 14 ]

full path not visible in dev branch rev 20600.
leaving issue as is for code review

Comment by Aleksandrs Saveljevs [ 2011 Jul 15 ]

Damian, the issue regarding validating "srctbl" was moved to ZBX-3955. Thanks!

Comment by Alexey Fukalov [ 2011 Jul 18 ]

svn://svn.zabbix.com/branches/1.8 20619

Comment by Andy Goldschmidt [ 2011 Aug 22 ]

This is now listed on NIST website :
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3264

Comment by Takanori Suzuki [ 2011 Nov 02 ]

Though Zabbix SIA might already stopped to maintain 1.6.x, because this is security issue I checked this issue in Zabbix-1.6.9.
Zabbix-1.6-9 is also affected.
So, I made a patch for Zabbix-1.6.9.

https://gist.github.com/1332795

Comment by Volker Fröhlich [ 2013 Jan 22 ]

Is Takanori's patch sufficient to settle the issue? EPEL 5 still has 1.4.7 and it doesn't seem to be solved there. Will this patch do?

http://www.geofrogger.net/review/zabbix-1.4.7-cve-2011-3264.patch

Sorry, I can't attach it here.

https://bugzilla.redhat.com/show_bug.cgi?id=729162

Generated at Fri Apr 26 20:07:59 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.