[Secure-testing-team] Bug#518193: [SA34091] ZABBIX PHP Frontend Multiple Vulnerabilities

Giuseppe Iuculano giuseppe at iuculano.it
Wed Mar 4 18:21:03 UTC 2009 

Package: zabbix-frontend-php
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The following SA (Secunia Advisory) id was published for
zabbix-frontend-php:

SA34091[1]:

> DESCRIPTION:
> Some vulnerabilities have been reported in the ZABBIX PHP frontend,
> which can be exploited by malicious people to conduct cross-site
> request forgery attacks and malicious users to disclose sensitive
> information and compromise a vulnerable system.
> 
> 1) Input appended to and passed via the "extlang" parameter to the
> "calc_exp2()" function in include/validate.inc.php is not properly
> sanitised before being used. This can be exploited to inject and
> execute arbitrary PHP code.
> 
> 2) The application allows users to perform certain actions via HTTP
> requests without performing any validity checks to verify the
> requests. This can be exploited to e.g. create users by enticing a
> logged in administrator to visit a malicious web page.
> 
> 3) Input passed to the "srclang" parameter in locales.php (when
> "next" is set to a non-NULL value) is not properly verified before
> being used to include files. This can be exploited to include
> arbitrary files from local resources via directory traversal attacks
> and URL-encoded NULL bytes.
> 
> The vulnerabilities are reported in version 1.6.2. Other versions may
> also be affected.
> 
> SOLUTION:
> Edit the source code to ensure that input is properly sanitised and
> verified..
> Do not visit untrusted web sites while logged on to the application.
> 
> PROVIDED AND/OR DISCOVERED BY:
> Antonio "s4tan" Parata, Francesco "ascii" Ongaro, and Giovanni
> "evilaliv3" Pellerano.
> 
> ORIGINAL ADVISORY:
> http://www.ush.it/team/ush/hack-zabbix_162/adv.txt

Upstream fixed this issue in his svn repository (svn://svn.zabbix.com)
r6710,r6709,r6658,r6657,r6645,r6644,r6626-r6621


If you fix the vulnerability please also make sure to include the CVE id
(if available) in the changelog entry.

[1]http://secunia.com/advisories/34091/

Cheers,
Giuseppe.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmuxoMACgkQNxpp46476aqqsQCdFYZZF+l9mU/s8IrE2EzRAqL2
DfMAn1ZYYkuhXxpNW9ArWp6qOlJc6wdE
=Ns8S
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list