[ZBX-8151] Zabbix 1.8.x-2.2.x Local File Inclusion via XXE Attack Created: 2014 Apr 25 Updated: 2020 Jul 16 Resolved: 2014 Jun 26 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | API (A), Frontend (F) |
Affects Version/s: | 1.8.19, 1.8.20, 2.0.9, 2.0.10, 2.0.11rc2, 2.0.11, 2.2.2, 2.2.3rc1, 2.2.3rc2, 2.2.3 |
Fix Version/s: | 1.8.21rc1, 2.0.13rc1, 2.2.5rc1, 2.3.2 |
Type: | Defect (Security) | Priority: | Critical |
Reporter: | pnig0s | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | frontend, import, security, vulnerability, xxe | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
CentOS 6.5 x84 |
Attachments: | ZBX_8151_2_2_2.patch poc_screenshot_01.jpg poc_screenshot_02.jpg | ||||
Issue Links: |
|
Description |
zabbix frontend support xml data import feature,and server-side use DOMDocument to parse xml.DOMDocument also parse the external dtd in default.So attacker can use a crafted xml to read arbitrary local file and send http request use zabbix server as a proxy. ==Reproduction: zabbix.xml to import: == |
Comments |
Comment by pnig0s [ 2014 Jun 14 ] |
Still no fix release for this? |
Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 16 ] |
Can you please provide details about the system hosting Zabbix (os version, php version, libml version)? It seems that this vulnerability affects only systems that have DTDLOAD libxml flag set (obsolete redhat's, mostly) and can not be fixed on zabbix level (please note that forcing libxml to load external DTD by default is a major security hole itself). |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Jun 16 ] |
An update from Andrejs:
|
Comment by pnig0s [ 2014 Jun 16 ] |
Yes,you can use libxml_disable_entity_loader(true); to disable the entity parsing or just throw an error when come cross a DTD tag.I use ubuntu10.04 libxml2.6.The newest version of libxml has fixed this problem,but there are a lot of vulnerable host in the wild. |
Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 17 ] |
RESOLVED |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Jun 18 ] |
(1) Please add a comment why the LIBXML_IMPORT_FLAGS constant is required. Otherwise good. andrewtch CLOSED |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Jun 18 ] |
TESTED. Please take care of (1) before merging. |
Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 18 ] |
Waiting for 2.2 to unfreeze before merge (as for June 18 2014). |
Comment by Ingus Vilnis [ 2014 Jun 20 ] |
(2) Please create a patch for customer using 2.2.2 frontend. andrewtch please see https://support.zabbix.com/secure/attachment/28912/ZBX_8151_2_2_2.patch attached, apply with: patch -p0 -i ZBX_8151_2_2_2.patch from Zabbix root. Should also work on other 2.0 / 2.2 branches. RESOLVED. ingus.vilnis CLOSED. May be reopened because the customer has not confirmed the patch yet (as of June 26). |
Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 20 ] |
Patch for 2.2.2 (should work on any 2.0 / 2.2). |
Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 25 ] |
Closed in pre-1.8.21rc1 r46795, pre-2.0.13rc1 r46796, pre-2.2.5rc1 r46797, pre-2.3.2 r46799. |
Comment by richlv [ 2014 Jun 25 ] |
subissues (1) and (2) still not closed |
Comment by richlv [ 2014 Jun 25 ] |
(3) changelog entry only has F component marked - didn't this fix affect the api in some way, too ? (configuration.import or anything else) andrewtch RESOLVED, corrected changelogs richlv note that more recent changelogs have sections for older releases - apparently those have not been updated andrewtch Must be fixed by now <richlv> thanks, looks good to me -> CLOSED |
Comment by richlv [ 2014 Jun 25 ] |
(4) it's a common practice to mention reporters for security issues - in this case let's add in the changelog entry "; thanks to pnig0s@Freebuf for the report" andrewtch RESOLVED, updated changelogs richlv note that more recent changelogs have sections for older releases - apparently those have not been updated andrewtch Must be fixed by now <richlv> thanks, looks good to me -> CLOSED |