Bug 729162 (CVE-2011-2904, CVE-2011-3263, CVE-2011-3264) - CVE-2011-2904 CVE-2011-3263 CVE-2011-3264 zabbix: multiple flaws in zabbix < 1.8.6
Summary: CVE-2011-2904 CVE-2011-3263 CVE-2011-3264 zabbix: multiple flaws in zabbix < ...
Status: CLOSED CURRENTRELEASE
Alias: CVE-2011-2904, CVE-2011-3263, CVE-2011-3264
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110804,reported=20110804,sou...
Keywords: Security
Depends On: 729164 729165
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-08 21:35 UTC by Vincent Danen
Modified: 2019-06-08 18:53 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-01-06 19:33:48 UTC


Attachments (Terms of Use)

Description Vincent Danen 2011-08-08 21:35:13 UTC
A vulnerability was reported [1],[2] in Zabbix where input passed to the "backurl" parameter in acknow.php is improperly sanitized before being returned to the user.  This could be used to facilitate a cross-site scripting attack.  This flaw is fixed in Zabbix 1.8.6 [3].

[1] http://secunia.com/advisories/45502
[2] https://support.zabbix.com/browse/ZBX-3835
[3] http://www.zabbix.com/rn1.8.6.php

Comment 1 Vincent Danen 2011-08-08 21:36:49 UTC
Created zabbix tracking bugs for this issue

Affects: fedora-all [bug 729164]
Affects: epel-all [bug 729165]

Comment 2 Vincent Danen 2011-08-10 17:54:12 UTC
This issue was assigned the name CVE-2011-2904.

Comment 3 Vincent Danen 2011-08-19 21:45:03 UTC
There were more issues corrected in zabbix 1.8.6, noted below:


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2904 to
the following vulnerability:

Name: CVE-2011-2904
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2904
Assigned: 20110727
Reference: http://www.openwall.com/lists/oss-security/2011/08/08/2
Reference: http://www.openwall.com/lists/oss-security/2011/08/09/5
Reference: http://www.zabbix.com/rn1.8.6.php
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=729162
Reference: https://support.zabbix.com/browse/ZBX-3835
Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063904.html
Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063884.html
Reference: http://www.securityfocus.com/bid/49016
Reference: http://secunia.com/advisories/45502
Reference: http://secunia.com/advisories/45677
Reference: http://xforce.iss.net/xforce/xfdb/69025

Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix
before 1.8.6 allows remote attackers to inject arbitrary web script or
HTML via the backurl parameter.


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3263 to
the following vulnerability:

Name: CVE-2011-3263
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3263
Assigned: 20110819
Reference: http://www.zabbix.com/rn1.8.6.php
Reference: https://support.zabbix.com/browse/ZBX-3794

zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows
context-dependent attackers to cause a denial of service (CPU
consumption) by executing the vfs.file.cksum command for a special
device, as demonstrated by the /dev/urandom device.


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3264 to
the following vulnerability:

Name: CVE-2011-3264
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3264
Assigned: 20110819
Reference: http://www.zabbix.com/rn1.8.6.php
Reference: https://support.zabbix.com/browse/ZBX-3840

Zabbix before 1.8.6 allows remote attackers to obtain sensitive
information via an invalid srcfld2 parameter to popup.php, which
reveals the installation path in an error message.

Comment 4 Vincent Danen 2011-08-19 21:45:58 UTC
Looks like we're ok on the Fedora side (1.8.6 in F14/F15, in testing for F16), and EPEL6 has 1.8.6 in testing as well.  I'm unsure whether or not all of these flaws affect EPEL4/5 though; it's at 1.4.6/1.4.7.

Comment 5 Volker Fröhlich 2013-01-22 15:58:01 UTC
Only EPEL 5 should be left:

https://support.zabbix.com/browse/ZBX-3840?focusedCommentId=74131#comment-74131

Comment 6 Volker Fröhlich 2014-01-06 19:33:48 UTC
zabbix 1.4.7 was retired and blocked in EPEL 5, as there is no upstream support for this version. This was the only remaining version potentially or actually prone to this issue, thus closing.

Users are encouraged to update to zabbix20 or later.


Note You need to log in before you can comment on or make changes to this bug.