Bug 488501 - zabbix: multiple vulnerabilities in zabbix frontend
zabbix: multiple vulnerabilities in zabbix frontend
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=bugtraq,repor...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-04 12:37 EST by Vincent Danen
Modified: 2010-03-22 14:15 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-22 14:15:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2009-03-04 12:37:44 EST
Quoting parts of the finder's advisory:

A) Remote Code Execution
 
A Remote Code Execution issue has been found in Zabbix version
1.6.2 and no authentication is required in order to exploit this 
vulnerability. The Magic Quotes must be off in order to exploit 
this vulnerability, however this feature will not be supported 
starting with PHP 6.0 (ref. http://it2.php.net/magic_quotes).

B) Cross Site Request Forgery

A CSRF vulnerability exists in file "users.php". If the admin visits the 
following link:

/users.php?config=0&save&alias=alias&name=foo&surname=foo&user_type=3&
lang=lang&theme=theme&autologout=0&url=url&refresh=0

A user with admin permissions is created.

C) Local File Inclusion

If the user is authenticated, a Local File Inclusion vulnerability 
exists in file "locales.php".

The following URL exploits this vulnerability:

/locales.php?action=1&next=1&srclang=../validate&extlang=en


The full advisory is located here: http://www.ush.it/team/ush/hack-zabbix_162/adv.txt

According to a Gentoo BTS entry on this issue:

patches seem to be here [svn://svn.zabbix.com/branches/1.6]:

------------------------------------------------------------------------
r6625 | artem | 2009-01-21 15:17:42 +0100 (Wed, 21 Jan 2009) | 1 line

 - [DEV-282] fixes frontend vulnerabilities (Artem)
------------------------------------------------------------------------
r6623 | artem | 2009-01-21 15:08:41 +0100 (Wed, 21 Jan 2009) | 1 line

 - [DEV-282] fixes frontend vulnerabilities (Artem)
------------------------------------------------------------------------
r6621 | artem | 2009-01-21 13:58:05 +0100 (Wed, 21 Jan 2009) | 1 line

 - [DEV-282] fixes frontend vulnerabilities (Artem)
Comment 1 Vincent Danen 2009-03-04 12:39:58 EST
I took a quick gander at the changes noted and there is a lot of noise surrounding the patches, but it doesn't look like 1.4.x is affected (which means only Fedora 10 would be affected by this), but I would appreciate a second set of eyes to verify that.

This should be corrected in the 1.6.3 release when it is made available.  The remote code execution is the one that worries the most as it can be done by an unauthenticated user, and magic quotes is off by default.
Comment 2 Vincent Danen 2009-03-04 12:41:26 EST
Jeff, I'm adding you to the CC on this as it looks like you have done most of the packaging of zabbix lately (although Dan is listed as the maintainer by koji).

Thanks.
Comment 3 Jeffrey C. Ollie 2009-03-05 10:49:09 EST
I'm working on a updated package that include all of the post-1.6.2 patches in SVN since there isn't a specific commit that is marked as fixing the problem.  I'll hopefully be able to do some testing today of the packages.
Comment 4 Vincent Danen 2009-03-05 11:08:56 EST
Thanks, Jeff.  The svn revisions I noted are what the Gentoo devs believe are the fixes, but there is so much other stuff mixed in with those commits, it's hard to quickly pin-point what the fixes are (which is what made it difficult to determine if 1.4.x is affected, but a lot of the stuff that has changed that _isn't_ whitespace or function renaming doesn't seem applicable to the older release).
Comment 5 Vincent Danen 2009-03-06 12:11:12 EST
Looks like this may indeed affect 1.4.x, judging by this post on full-disclosure:

http://lists.grok.org.uk/pipermail/full-disclosure/2009-March/068274.html

If that is the case (can you verify it?), then this would also affect F9 and EPEL4, EPEL5.

Thanks.
Comment 6 Vincent Danen 2009-03-09 16:09:26 EDT
It also looks as though upstream fixes as of the advisory were incomplete:

http://lists.grok.org.uk/pipermail/full-disclosure/2009-March/068318.html

has more details.
Comment 7 Josh Bressers 2010-03-22 14:15:57 EDT
This appears to be fixed by new upstream versions.

Note You need to log in before you can comment on or make changes to this bug.