Full Disclosure mailing list archives
Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities
From: Eygene Ryabinkin <rea-sec () codelabs ru>
Date: Mon, 9 Mar 2009 14:59:00 +0300
Good day. Small addition to the advisory. Tue, Mar 03, 2009 at 03:30:26PM +0000, ascii wrote:
Zabbix 1.6.2 Frontend Multiple Vulnerabilities
[...]
C) Local File Inclusion If the user is authenticated, a Local File Inclusion vulnerability exists in file "locales.php". The following URL exploits this vulnerability: /locales.php?action=1&next=1&srclang=../validate&extlang=en A string in the form of ".inc.php" is automatically appended to the local file path. Despite that it's possible to include every target file truncating the filename using %00 (nullbyte): /locales.php?next=1&srclang=../../../../../../../var/log/apache2/error_log%00%22 Nullbyte injection normally requires magic quotes off. The vulnerable code is the following: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- 'srclang'=> array(T_ZBX_STR, O_OPT, NULL, NOT_EMPTY, 'isset({next})'), [...] else if(isset($_REQUEST['next'])){ [...] $fileFrom = 'include/locales/'.$_REQUEST['srclang'].".inc.php"; if(file_exists($fileFrom)){ include($fileFrom); --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
The second variable, 'extlang', also can be used for the file inclusion and before r6886 there was the programming error: patch for locales.php r6593 included wrong validation condition for 'extlang': ----- if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['srclang']) && ($_REQUEST['extlang'] != 'new')) ----- This was fixed in revision 6886 of branches/1.6.
IV. DETECTION Zabbix 1.6.2 and possibly earlier versions are vulnerable. V. WORKAROUND Update zabbix from svn the server (svn://svn.zabbix.com) or download version 1.6.3 when aviable.
Be sure to update to the r6886 or later, otherwise LFI will still be possible. -- Eygene _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Zabbix 1.6.2 Frontend Multiple Vulnerabilities ascii (Mar 03)
- Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities bob jones (Mar 04)
- Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities ascii (Mar 04)
- Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities Roberto Muñoz Fernandez (Mar 05)
- Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities Eygene Ryabinkin (Mar 09)
- <Possible follow-ups>
- Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities bobby . mugabe (Mar 04)
- Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities Valdis . Kletnieks (Mar 04)
- Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities Jason Starks (Mar 04)
- Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities Valdis . Kletnieks (Mar 04)
- Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities bob jones (Mar 04)