Giuseppe Iuculano
2009-Mar-04 18:21 UTC
[Secure-testing-team] Bug#518193: [SA34091] ZABBIX PHP Frontend Multiple Vulnerabilities
Package: zabbix-frontend-php Severity: serious Tags: security patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, The following SA (Secunia Advisory) id was published for zabbix-frontend-php: SA34091[1]:> DESCRIPTION: > Some vulnerabilities have been reported in the ZABBIX PHP frontend, > which can be exploited by malicious people to conduct cross-site > request forgery attacks and malicious users to disclose sensitive > information and compromise a vulnerable system. > > 1) Input appended to and passed via the "extlang" parameter to the > "calc_exp2()" function in include/validate.inc.php is not properly > sanitised before being used. This can be exploited to inject and > execute arbitrary PHP code. > > 2) The application allows users to perform certain actions via HTTP > requests without performing any validity checks to verify the > requests. This can be exploited to e.g. create users by enticing a > logged in administrator to visit a malicious web page. > > 3) Input passed to the "srclang" parameter in locales.php (when > "next" is set to a non-NULL value) is not properly verified before > being used to include files. This can be exploited to include > arbitrary files from local resources via directory traversal attacks > and URL-encoded NULL bytes. > > The vulnerabilities are reported in version 1.6.2. Other versions may > also be affected. > > SOLUTION: > Edit the source code to ensure that input is properly sanitised and > verified.. > Do not visit untrusted web sites while logged on to the application. > > PROVIDED AND/OR DISCOVERED BY: > Antonio "s4tan" Parata, Francesco "ascii" Ongaro, and Giovanni > "evilaliv3" Pellerano. > > ORIGINAL ADVISORY: > http://www.ush.it/team/ush/hack-zabbix_162/adv.txtUpstream fixed this issue in his svn repository (svn://svn.zabbix.com) r6710,r6709,r6658,r6657,r6645,r6644,r6626-r6621 If you fix the vulnerability please also make sure to include the CVE id (if available) in the changelog entry. [1]http://secunia.com/advisories/34091/ Cheers, Giuseppe. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmuxoMACgkQNxpp46476aqqsQCdFYZZF+l9mU/s8IrE2EzRAqL2 DfMAn1ZYYkuhXxpNW9ArWp6qOlJc6wdE =Ns8S -----END PGP SIGNATURE-----