[ZBX-7091] SQL injection vulnerabilities in the API and frontend Created: 2013 Oct 02  Updated: 2020 Jul 16  Resolved: 2013 Oct 02

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: API (A), Frontend (F)
Affects Version/s: 1.8.17, 2.0.8, 2.1.6
Fix Version/s: 1.8.18rc1, 2.0.9rc1, 2.1.7

Type: Defect (Security) Priority: Critical
Reporter: Pavels Jelisejevs (Inactive) Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: api, frontend, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File ZBX-7091-1.8.18rc1.patch     File ZBX-7091-1.8.2.patch     File ZBX-7091-2.0.8.patch     File ZBX-7091-2.0.9rc1.patch     File ZBX-7091-2.1.7.patch    
Issue Links:
Duplicate

 Description   

-------------------------
Vulnerability description
-------------------------

Zabbix frontend and API are vulnerable to SQL injection attacks. The vulnerabilities allow an attacker to gain access to the database and execute arbitrary SQL statements.

Please use CVE-2013-5743 to refer to this vulnerability.

-------
Details
-------

(1) The following API methods and parameters have have been reported to be vulnerable:

alert.get: time_from, time_till;
event.get: object, source, eventid_from, eventid_till;
graphitem.get: parameter: type;
graph.get: parameter: type;
graphprototype.get: parameter: type;
history.get: parameter: time_from, time_till;
trigger.get: parameter: lastChangeSince, lastChangeTill, min_severity;
triggerprototype.get: parameter: min_severity;
usergroup.get: parameter: status.
This issue has been reported by Bernhard Schildendorfer from SEC Consult.

(2) Code responsible for adding objects such as graphs or maps to favorites is also vulnerable to this type of attacks. This can be exploited on the "Dashboard", "Graphs", "Maps", "Latest data" and "Screens" pages in the "Monitoring" section.

This issue has been reported by Lincoln, a member of Corelan Team.

-----------------
Affected versions
-----------------

All of the Zabbix versions are in some way vulnerable to this type of attacks.

--------------
Fixed versions
--------------

These vulnerabilities have been fixed in the latest releases of Zabbix. Additionally, an internal security audit was performed and similar vulnerabilities have been fixed in other areas.

The fix is available in the following Zabbix releases
2.0.9
1.8.18

Additionally, patches are available for the following Zabbix versions:
2.0.8
1.8.17
1.8.2

 Comments   
Comment by Pavels Jelisejevs (Inactive) [ 2013 Oct 02 ]

Fixed in 1.8.18rc1 r38907, 2.0.9rc1 r38908 and trunk r38909.

CLOSED.

Comment by Volker Fröhlich [ 2013 Oct 02 ]

Fixed in EL6: https://admin.fedoraproject.org/updates/zabbix20-2.0.8-3.el6

Fedora, EL5 and zabbix in EL6 are to be done.

Comment by Volker Fröhlich [ 2013 Oct 03 ]

https://admin.fedoraproject.org/updates/zabbix-1.8.17-3.el6
https://admin.fedoraproject.org/updates/zabbix20-2.0.8-3.el5

Comment by Volker Fröhlich [ 2013 Oct 03 ]

And 2.0.8-3 from F18 to Rawhide. Thus EPEL and Fedora are done.

Comment by Pavels Jelisejevs (Inactive) [ 2013 Oct 04 ]

Great! Thanks for the prompt fix.

Comment by Takanori Suzuki [ 2013 Oct 17 ]

Hi, I found a problem in this ZBX-7091 fixing code for 1.8.x, commit r38907.
In zabbix-1.8.x revision r39228 with PostgreSQL, profiles table data includes non-needed ''.
It's done by "updateDB()" in "CProfile" class in "profiles.inc.php".
"updateDB()" is using "zbx_dbstr()" twice for "$value", if the value type is "value_str" and it adds non-needed ''.
Because of this, profiles data, like default filtering setting or default page after login, become wrong one.

And "insertDB()" in "CProfile" class is not doing same escaping.

I made a patch for these things.
Could you check it?
https://gist.github.com/BlueSkyDetector/7018855

Comment by richlv [ 2013 Oct 17 ]

takanori, could this be the same as ZBX-7156 ?

Comment by Takanori Suzuki [ 2013 Oct 17 ]

Hi richlv, thx.
It's exactly same issue as ZBX-7156.
I found the fixed patch is also same.

Generated at Fri Apr 19 12:04:51 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.