Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability.

==========================================

Title: Zabbix 3.0. SQL Injection Vulnerability

Product: Zabbix

Vulnerable Version(s): 2.2.x, 3.0.x

Fixed Version: 3.0.

Homepage: http://www.zabbix.com

Patch link: https://support.zabbix.com/browse/ZBX-11023

Credit: 1N3@CrowdShield

==========================================

Vendor Description:

=====================

Zabbix is an open source availability and performance monitoring solution. 

Vulnerability Overview:

=====================

Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page.

Business Impact:

=====================

By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, or execute commands on the underlying database operating system.

Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the monitored infrastructure.

Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated.

Proof of Concept:

=====================

latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=&toggle_ids[]=); select * from users where (=

Result:

SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (, , 'web.latest.toggle', '', , ); select * from users where (=)

latest.php: a require_once() a CProfile::flush() a CProfile::insertDB() a DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:

Disclosure Timeline:

=====================

// - Reported vulnerability to Zabbix

// - Zabbix responded with permission to file CVE and to disclose after a patch is made public

// - Zabbix released patch for vulnerability

// - CVE details submitted

// - Vulnerability details disclosed

referer:https://packetstormsecurity.com/files/138312

Zabbix 3.0.3 SQL Injection的更多相关文章

  1. PHP+MYSQL网站SQL Injection攻防

    程序员们写代码的时候讲究TDD(测试驱动开发):在实现一个功能前,会先写一个测试用例,然后再编写代码使之运行通过.其实当黑客SQL Injection时,同样是一个TDD的过程:他们会先尝试着让程序报 ...

  2. SQL Injection(SQL注入漏洞)

    审计前准备: 1.安�php程序(推荐phpStudy) 2.高亮编辑器(推荐 Sublimetext Notepad++) 3.新建一个文本,复制以下变量,这些变量是审计中需要在源码中寻找的 ### ...

  3. zabbix 3.0 安装 ubuntu环境

    zabbix 3.0 安装 标签(空格分隔): 开发 [TOC] 下载deb # wget http://repo.zabbix.com/zabbix/3.0/ubuntu/pool/main/z/z ...

  4. HP+MYSQL网站SQL Injection攻防

    WebjxCom提示:程序员们写代码的时候讲究TDD(测试驱动开发):在实现一个功能前,会先写一个测试用例,然后再编写代码使之运行通过.其实当黑客SQL Injection时,同样是一个TDD的过程: ...

  5. [转]Zabbix 3.0 安装笔记

    Zabbix 3.0 只支持CentOS 7.0以上版本,所以先在虚拟机中安装好CentOS 7.0 x64,并设置好IP,允许虚拟机联网. 1.安装MySQL 从最新版本的linux系统开始,默认的 ...

  6. Cacti /graphs_new.php SQL Injection Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 other SQL injection vulnerability ...

  7. ecshop /search.php SQL Injection Vul

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 ECSHOP商城系统Search.php页面过滤不严导致SQL注入漏洞 ...

  8. ecshop /pick_out.php SQL Injection Vul By Local Variable Overriding

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 在进行输入变量本地模拟注册的时候,没有进行有效的GPC模拟过滤处理,导出 ...

  9. zabbix 3.0快速安装简介(centos 6)

    zabbix快速安装 系统版本:centos 6 1.yum源配置和zabbix.msyql安装 rpm -ivh http://mirrors.aliyun.com/zabbix/zabbix/3. ...

随机推荐

  1. Android课程---表格布局TableLayout

    特别注意:由于表格布局继承自线性布局,因此并不显示表格线 示例代码: <?xml version="1.0" encoding="utf-8"?> ...

  2. BZOJ4448:[SCO2015]情报传递

    题目大意:给你一棵树,有两种操作,一个是修改某个点的权值,另一个是询问两点之间的距离以及路径上小于某个值的数的个数. 询问两点之间距离直接lca即可,对于求个数的问题可以用主席树完成. #includ ...

  3. 【iCore3 双核心板_FPGA】实验十六:基于SPI总线的ARM与FPGA通信实验

    实验指导书及代码包下载: http://pan.baidu.com/s/1hs6lDdi iCore3 购买链接: https://item.taobao.com/item.htm?id=524229 ...

  4. php数字操作,高精度函数,保留计算结果小数位

    $l = 45456.51; $r = 455778.44; $e = '100.00'; $f= '500.00'; $res = bcadd($l, $r,3);//小数点后的位数,精度就是由这个 ...

  5. Windows 10输入法已禁用IME无法输入中文怎么办

    Windows 10输入法已禁用IME无法输入中文怎么办 | 浏览:10453 | 更新:2015-03-01 14:46 | 标签:windows 1 2 3 4 5 分步阅读 Windows10系 ...

  6. php发送post请求到nodejs服务器

    curl_setopt ( $ch, CURLOPT_POSTFIELDS, $data ); 改为 curl_setopt ( $ch, CURLOPT_POSTFIELDS, http_build ...

  7. transform的用法和注意事项

    1.作用: 1)transform可以控制平移.比例缩放和旋转. 2)transform中的方法主要分为两种:带make和不带make的方法. 3)带make的方法主要是基于控件最初的状态进行改变,所 ...

  8. 菜菜CPP日记

    分支预测建议: http://www.cppblog.com/mysileng/archive/2014/09/29/208454.html #ifndef likely #define likely ...

  9. PHP输出当前进程所有变量 / 常量 / 模块 / 函数 / 类

    <?php /* 不知道怎么打印某个函数的参数和相关分类类型的所有函数 以下函数如果没有参数,返回的都是一个数组get_defined_functions() 获取所有已经定义的函数get_de ...

  10. Display Voxel Gird and PCA

    https://github.com/yhexie/NDTEX 最近科研没有思路,写点代码加强基础知识的学习吧. 下面写了一个点云体素分割,PCA计算体素内点云的特征值和特征向量.