[ZBX-7091] SQL injection vulnerabilities in the API and frontend Created: 2013 Oct 02 Updated: 2020 Jul 16 Resolved: 2013 Oct 02 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | API (A), Frontend (F) |
Affects Version/s: | 1.8.17, 2.0.8, 2.1.6 |
Fix Version/s: | 1.8.18rc1, 2.0.9rc1, 2.1.7 |
Type: | Defect (Security) | Priority: | Critical |
Reporter: | Pavels Jelisejevs (Inactive) | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | api, frontend, security | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Attachments: | ZBX-7091-1.8.18rc1.patch ZBX-7091-1.8.2.patch ZBX-7091-2.0.8.patch ZBX-7091-2.0.9rc1.patch ZBX-7091-2.1.7.patch | ||||
Issue Links: |
|
Description |
------------------------- Zabbix frontend and API are vulnerable to SQL injection attacks. The vulnerabilities allow an attacker to gain access to the database and execute arbitrary SQL statements. Please use CVE-2013-5743 to refer to this vulnerability. ------- (1) The following API methods and parameters have have been reported to be vulnerable: alert.get: time_from, time_till; (2) Code responsible for adding objects such as graphs or maps to favorites is also vulnerable to this type of attacks. This can be exploited on the "Dashboard", "Graphs", "Maps", "Latest data" and "Screens" pages in the "Monitoring" section. This issue has been reported by Lincoln, a member of Corelan Team. ----------------- All of the Zabbix versions are in some way vulnerable to this type of attacks. -------------- These vulnerabilities have been fixed in the latest releases of Zabbix. Additionally, an internal security audit was performed and similar vulnerabilities have been fixed in other areas. The fix is available in the following Zabbix releases Additionally, patches are available for the following Zabbix versions: |
Comments |
Comment by Pavels Jelisejevs (Inactive) [ 2013 Oct 02 ] |
Fixed in 1.8.18rc1 r38907, 2.0.9rc1 r38908 and trunk r38909. CLOSED. |
Comment by Volker Fröhlich [ 2013 Oct 02 ] |
Fixed in EL6: https://admin.fedoraproject.org/updates/zabbix20-2.0.8-3.el6 Fedora, EL5 and zabbix in EL6 are to be done. |
Comment by Volker Fröhlich [ 2013 Oct 03 ] |
https://admin.fedoraproject.org/updates/zabbix-1.8.17-3.el6 |
Comment by Volker Fröhlich [ 2013 Oct 03 ] |
And 2.0.8-3 from F18 to Rawhide. Thus EPEL and Fedora are done. |
Comment by Pavels Jelisejevs (Inactive) [ 2013 Oct 04 ] |
Great! Thanks for the prompt fix. |
Comment by Takanori Suzuki [ 2013 Oct 17 ] |
Hi, I found a problem in this And "insertDB()" in "CProfile" class is not doing same escaping. I made a patch for these things. |
Comment by richlv [ 2013 Oct 17 ] |
takanori, could this be the same as |
Comment by Takanori Suzuki [ 2013 Oct 17 ] |
Hi richlv, thx. |