Bug 488501

Summary:	zabbix: multiple vulnerabilities in zabbix frontend
Product:	[Other] Security Response	Reporter:	Vincent Danen <vdanen>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED CURRENTRELEASE	QA Contact:
Severity:	high	Docs Contact:
Priority:	low
Version:	unspecified	CC:	bressers, dan, jeff, leo
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-03-22 18:15:57 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Vincent Danen 2009-03-04 17:37:44 UTC

Quoting parts of the finder's advisory:

A) Remote Code Execution
 
A Remote Code Execution issue has been found in Zabbix version
1.6.2 and no authentication is required in order to exploit this 
vulnerability. The Magic Quotes must be off in order to exploit 
this vulnerability, however this feature will not be supported 
starting with PHP 6.0 (ref. http://it2.php.net/magic_quotes).

B) Cross Site Request Forgery

A CSRF vulnerability exists in file "users.php". If the admin visits the 
following link:

/users.php?config=0&save&alias=alias&name=foo&surname=foo&user_type=3&
lang=lang&theme=theme&autologout=0&url=url&refresh=0

A user with admin permissions is created.

C) Local File Inclusion

If the user is authenticated, a Local File Inclusion vulnerability 
exists in file "locales.php".

The following URL exploits this vulnerability:

/locales.php?action=1&next=1&srclang=../validate&extlang=en


The full advisory is located here: http://www.ush.it/team/ush/hack-zabbix_162/adv.txt

According to a Gentoo BTS entry on this issue:

patches seem to be here [svn://svn.zabbix.com/branches/1.6]:

------------------------------------------------------------------------
r6625 | artem | 2009-01-21 15:17:42 +0100 (Wed, 21 Jan 2009) | 1 line

 - [DEV-282] fixes frontend vulnerabilities (Artem)
------------------------------------------------------------------------
r6623 | artem | 2009-01-21 15:08:41 +0100 (Wed, 21 Jan 2009) | 1 line

 - [DEV-282] fixes frontend vulnerabilities (Artem)
------------------------------------------------------------------------
r6621 | artem | 2009-01-21 13:58:05 +0100 (Wed, 21 Jan 2009) | 1 line

 - [DEV-282] fixes frontend vulnerabilities (Artem)

Comment 1 Vincent Danen 2009-03-04 17:39:58 UTC

I took a quick gander at the changes noted and there is a lot of noise surrounding the patches, but it doesn't look like 1.4.x is affected (which means only Fedora 10 would be affected by this), but I would appreciate a second set of eyes to verify that.

This should be corrected in the 1.6.3 release when it is made available.  The remote code execution is the one that worries the most as it can be done by an unauthenticated user, and magic quotes is off by default.

Comment 2 Vincent Danen 2009-03-04 17:41:26 UTC

Jeff, I'm adding you to the CC on this as it looks like you have done most of the packaging of zabbix lately (although Dan is listed as the maintainer by koji).

Thanks.

Comment 3 Jeffrey C. Ollie 2009-03-05 15:49:09 UTC

I'm working on a updated package that include all of the post-1.6.2 patches in SVN since there isn't a specific commit that is marked as fixing the problem.  I'll hopefully be able to do some testing today of the packages.

Comment 4 Vincent Danen 2009-03-05 16:08:56 UTC

Thanks, Jeff.  The svn revisions I noted are what the Gentoo devs believe are the fixes, but there is so much other stuff mixed in with those commits, it's hard to quickly pin-point what the fixes are (which is what made it difficult to determine if 1.4.x is affected, but a lot of the stuff that has changed that _isn't_ whitespace or function renaming doesn't seem applicable to the older release).

Comment 5 Vincent Danen 2009-03-06 17:11:12 UTC

Looks like this may indeed affect 1.4.x, judging by this post on full-disclosure:

http://lists.grok.org.uk/pipermail/full-disclosure/2009-March/068274.html

If that is the case (can you verify it?), then this would also affect F9 and EPEL4, EPEL5.

Thanks.

Comment 6 Vincent Danen 2009-03-09 20:09:26 UTC

It also looks as though upstream fixes as of the advisory were incomplete:

http://lists.grok.org.uk/pipermail/full-disclosure/2009-March/068318.html

has more details.

Comment 7 Josh Bressers 2010-03-22 18:15:57 UTC

This appears to be fixed by new upstream versions.