Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability.

==========================================

Title: Zabbix 3.0. SQL Injection Vulnerability

Product: Zabbix

Vulnerable Version(s): 2.2.x, 3.0.x

Fixed Version: 3.0.

Homepage: http://www.zabbix.com

Patch link: https://support.zabbix.com/browse/ZBX-11023

Credit: 1N3@CrowdShield

==========================================

Vendor Description:

=====================

Zabbix is an open source availability and performance monitoring solution. 

Vulnerability Overview:

=====================

Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page.

Business Impact:

=====================

By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, or execute commands on the underlying database operating system.

Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the monitored infrastructure.

Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated.

Proof of Concept:

=====================

latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=&toggle_ids[]=); select * from users where (=

Result:

SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (, , 'web.latest.toggle', '', , ); select * from users where (=)

latest.php: a require_once() a CProfile::flush() a CProfile::insertDB() a DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:

Disclosure Timeline:

=====================

// - Reported vulnerability to Zabbix

// - Zabbix responded with permission to file CVE and to disclose after a patch is made public

// - Zabbix released patch for vulnerability

// - CVE details submitted

// - Vulnerability details disclosed

referer:https://packetstormsecurity.com/files/138312

Zabbix 3.0.3 SQL Injection的更多相关文章

  1. PHP+MYSQL网站SQL Injection攻防

    程序员们写代码的时候讲究TDD(测试驱动开发):在实现一个功能前,会先写一个测试用例,然后再编写代码使之运行通过.其实当黑客SQL Injection时,同样是一个TDD的过程:他们会先尝试着让程序报 ...

  2. SQL Injection(SQL注入漏洞)

    审计前准备: 1.安�php程序(推荐phpStudy) 2.高亮编辑器(推荐 Sublimetext Notepad++) 3.新建一个文本,复制以下变量,这些变量是审计中需要在源码中寻找的 ### ...

  3. zabbix 3.0 安装 ubuntu环境

    zabbix 3.0 安装 标签(空格分隔): 开发 [TOC] 下载deb # wget http://repo.zabbix.com/zabbix/3.0/ubuntu/pool/main/z/z ...

  4. HP+MYSQL网站SQL Injection攻防

    WebjxCom提示:程序员们写代码的时候讲究TDD(测试驱动开发):在实现一个功能前,会先写一个测试用例,然后再编写代码使之运行通过.其实当黑客SQL Injection时,同样是一个TDD的过程: ...

  5. [转]Zabbix 3.0 安装笔记

    Zabbix 3.0 只支持CentOS 7.0以上版本,所以先在虚拟机中安装好CentOS 7.0 x64,并设置好IP,允许虚拟机联网. 1.安装MySQL 从最新版本的linux系统开始,默认的 ...

  6. Cacti /graphs_new.php SQL Injection Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 other SQL injection vulnerability ...

  7. ecshop /search.php SQL Injection Vul

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 ECSHOP商城系统Search.php页面过滤不严导致SQL注入漏洞 ...

  8. ecshop /pick_out.php SQL Injection Vul By Local Variable Overriding

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 在进行输入变量本地模拟注册的时候,没有进行有效的GPC模拟过滤处理,导出 ...

  9. zabbix 3.0快速安装简介(centos 6)

    zabbix快速安装 系统版本:centos 6 1.yum源配置和zabbix.msyql安装 rpm -ivh http://mirrors.aliyun.com/zabbix/zabbix/3. ...

随机推荐

  1. Js表单Submit问题

    一般在submit前,会用js查核是否满足提交标准,如下: function doSubmit(){ if(doucument.getElementbyId("myID") ==& ...

  2. DS Tree 已知后序、中序 => 建树 => 求先序

    注意点: 和上一篇的DS Tree 已知先序.中序 => 建树 => 求后序差不多,注意的地方是在aftorder中找根节点的时候,是从右往左找,因此递归的时候注意参数,最好是拿纸和笔模拟 ...

  3. 台式机的集显HD4600驱动-黑苹果之路

    台式机的集显HD4600驱动-黑苹果之路 半桶水还真可怕,整了一个礼拜的台式机黑苹果,竟然都没搞定asus z87-k的HD4600核显.最终为了不耽误工作,上淘宝,花钱买服务.显卡驱动分为变色龙和c ...

  4. objective-c基础教程——学习小结

    objective-c基础教程——学习小结   提纲: 简介 与C语言相比要注意的地方 objective-c高级特性 开发工具介绍(cocoa 工具包的功能,框架,源文件组织:XCode使用介绍) ...

  5. JS之原型对象

    1.__proto__ 每个对象都有一个__proto__属性,指向该对象的原型对象 <script> var person = function(name,city){ this.nam ...

  6. meanshift

    http://blog.jasonding.top/2014/10/14/Machine%20Learning/%E3%80%90%E8%AE%A1%E7%AE%97%E6%9C%BA%E8%A7%8 ...

  7. 使用maven来管理您的java项目

    maven是一个项目管理工具,使用maven可以自动管理java项目的整个生命周期,包括编译.构建.测试.发布和报告等.在大型项目开发中,使用maven来管理是必不可少的. 一.安装maven 1.W ...

  8. EBS R12.2 创建应用层的启动和关闭脚本

    Create the following files to start and stop R12. application tier. Change the apps and weblogic pas ...

  9. c#大文件分割过程

    需求: 在项目开发中,我们会遇到单个文件大小超过1TB的文件,这样的文件只能进行单文件读取,往往会造成读取完成耗时过长,导致客户在使用体验过程中不满意. 为了解决提升大文件的解析速度,我想到了先分割大 ...

  10. 一般处理程序返回json

    一般处理程序:    public void ProcessRequest(HttpContext context)         {             string action = con ...