SQL injection vulnerability in Zabbix <= 1.8.1

2010-05-27T00:00:00
ID SECURITYVULNS:DOC:23932
Type securityvulns
Reporter Securityvulns
Modified 2010-05-27T00:00:00

Description

Product: Zabbix Vendor: Zabbix SIA References: http://www.securityfocus.com/bid/39752 http://secunia.com/advisories/39119 Software Link: http://www.zabbix.com/ Vulnerable Version: <= 1.8.1 Vulnerability Type: SQL Injection Status: Fixed in version 1.8.2 Risk level: Medium Author: David "skys" Guimaraes (skysbsb[at]gmail.com) Date: 27/04/2010

Vulnerability Details: The vulnerability exists due to failure in the "events.php" script to properly sanitize user-supplied input in "nav_time" variable. Attacker can execute arbitrary queries to the database, compromise the application or exploit various vulnerabilities in the underlying SQL database.

Attacker can use browser to exploit this vulnerability. The following PoC is available: http://vulnsite.com/path_to_zabbix/events.php?nav_time=-1+UNION+ALL+SELECT+1,2,3,4,5,6,7+from+events+where+(testvalue)--

Positive response page contains: "\"info\">1"

-- David "skys" Guimaraes