Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability.

==========================================

Title: Zabbix 3.0. SQL Injection Vulnerability

Product: Zabbix

Vulnerable Version(s): 2.2.x, 3.0.x

Fixed Version: 3.0.

Homepage: http://www.zabbix.com

Patch link: https://support.zabbix.com/browse/ZBX-11023

Credit: 1N3@CrowdShield

==========================================

Vendor Description:

=====================

Zabbix is an open source availability and performance monitoring solution. 

Vulnerability Overview:

=====================

Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page.

Business Impact:

=====================

By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, or execute commands on the underlying database operating system.

Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the monitored infrastructure.

Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated.

Proof of Concept:

=====================

latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=&toggle_ids[]=); select * from users where (=

Result:

SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (, , 'web.latest.toggle', '', , ); select * from users where (=)

latest.php: a require_once() a CProfile::flush() a CProfile::insertDB() a DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:

Disclosure Timeline:

=====================

// - Reported vulnerability to Zabbix

// - Zabbix responded with permission to file CVE and to disclose after a patch is made public

// - Zabbix released patch for vulnerability

// - CVE details submitted

// - Vulnerability details disclosed

referer:https://packetstormsecurity.com/files/138312

Zabbix 3.0.3 SQL Injection的更多相关文章

  1. PHP+MYSQL网站SQL Injection攻防

    程序员们写代码的时候讲究TDD(测试驱动开发):在实现一个功能前,会先写一个测试用例,然后再编写代码使之运行通过.其实当黑客SQL Injection时,同样是一个TDD的过程:他们会先尝试着让程序报 ...

  2. SQL Injection(SQL注入漏洞)

    审计前准备: 1.安�php程序(推荐phpStudy) 2.高亮编辑器(推荐 Sublimetext Notepad++) 3.新建一个文本,复制以下变量,这些变量是审计中需要在源码中寻找的 ### ...

  3. zabbix 3.0 安装 ubuntu环境

    zabbix 3.0 安装 标签(空格分隔): 开发 [TOC] 下载deb # wget http://repo.zabbix.com/zabbix/3.0/ubuntu/pool/main/z/z ...

  4. HP+MYSQL网站SQL Injection攻防

    WebjxCom提示:程序员们写代码的时候讲究TDD(测试驱动开发):在实现一个功能前,会先写一个测试用例,然后再编写代码使之运行通过.其实当黑客SQL Injection时,同样是一个TDD的过程: ...

  5. [转]Zabbix 3.0 安装笔记

    Zabbix 3.0 只支持CentOS 7.0以上版本,所以先在虚拟机中安装好CentOS 7.0 x64,并设置好IP,允许虚拟机联网. 1.安装MySQL 从最新版本的linux系统开始,默认的 ...

  6. Cacti /graphs_new.php SQL Injection Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 other SQL injection vulnerability ...

  7. ecshop /search.php SQL Injection Vul

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 ECSHOP商城系统Search.php页面过滤不严导致SQL注入漏洞 ...

  8. ecshop /pick_out.php SQL Injection Vul By Local Variable Overriding

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 在进行输入变量本地模拟注册的时候,没有进行有效的GPC模拟过滤处理,导出 ...

  9. zabbix 3.0快速安装简介(centos 6)

    zabbix快速安装 系统版本:centos 6 1.yum源配置和zabbix.msyql安装 rpm -ivh http://mirrors.aliyun.com/zabbix/zabbix/3. ...

随机推荐

  1. 利用session完成用户登陆

    package cn.itcast.cookie; import java.io.IOException; import java.io.PrintWriter; import java.util.L ...

  2. JS控制打印指定div

    <html><head><script language="javascript">function printdiv(printpage){v ...

  3. 10.5.2 Boot Block 启动块 - 操作系统教程

    简单一篇文章明白地讲解了计算机操作系统的启动过程 OPERATING SYSTEM CONCEPTS ABRAHAM SILBERSCHATZ PETER BAER GALVIN GREG GAGNE ...

  4. android发送/接收json数据

    客户端向服务器端发送数据,这里用到了两种,一种是在url中带参数,一种是json数据发送方式: url带参数的写法: url+/?r=m/calendar/contact_list&uid=3 ...

  5. 初步了解JSONP

    一.JSON 与 JSONP JSON是一种基于文本的数据交换方式(数据描述格式),JSONP是一种非官方跨域数据交互协议. ajax的核心是通过XmlHttpRequest获取非本页内容,而json ...

  6. 使用swfupload上传超过30M文件,使用FLASH上传组件

    原文:使用swfupload上传超过30M文件,使用FLASH上传组件 前一段时间会员的上传组件改用FLASH的swfupload来上传,既能很友好的显示上传进度,又能完全满足大文件的上传. 后来服务 ...

  7. ++i 与 i++ 区别

    i++返回原来的值 ++i 返回i+1的值   但是i++  i的值也会增加1 但是返回还是原来的值 int i = 1; i = i++; System.out.println(i); 输出 1 i ...

  8. html5新增语义标签

    1.header <header> 标签定义文档的页眉(介绍信息). 2.nav <nav> 标签定义导航链接的部分. 3.article <article> 标签 ...

  9. 用命令实现SQLServerr的备份与还原

    一.备份数据库,命令如下: USE master; GO BACKUP DATABASE mytest TO DISK='E:\disk\mytest.bak' /* mytest为数据库名称,'E: ...

  10. JQuery + XML作为前后台数据交换格式实践

    JQuery + xml作为前后台数据交换 JQuery提供良好的异步加载接口AJAX,可以局部更新页面数据, http://api.jquery.com/category/ajax/ xml作为一种 ...