Home page logo
  • Nmap Security Scanner
  • Security Lists
  • Security Tools
  • Site News
  • Advertising
  • About/Contact
  • Sponsors:



/

fulldisclosure logo Full Disclosure mailing list archives

Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities
From: Eygene Ryabinkin <rea-sec () codelabs ru>
Date: Mon, 9 Mar 2009 14:59:00 +0300
Good day.

Small addition to the advisory.

Tue, Mar 03, 2009 at 03:30:26PM +0000, ascii wrote:

Zabbix 1.6.2 Frontend Multiple Vulnerabilities

[...]

C) Local File Inclusion

If the user is authenticated, a Local File Inclusion vulnerability
exists in file "locales.php".

The following URL exploits this vulnerability:

/locales.php?action=1&next=1&srclang=../validate&extlang=en

A string in the form of ".inc.php" is automatically appended to the
local file path. Despite that it's possible to include every target
file truncating the filename using %00 (nullbyte):

/locales.php?next=1&srclang=../../../../../../../var/log/apache2/error_log%00%22

Nullbyte injection normally requires magic quotes off.

The vulnerable code is the following:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

 'srclang'=> array(T_ZBX_STR, O_OPT, NULL, NOT_EMPTY, 'isset({next})'),
[...]
else if(isset($_REQUEST['next'])){
[...]
 $fileFrom = 'include/locales/'.$_REQUEST['srclang'].".inc.php";
  if(file_exists($fileFrom)){
   include($fileFrom);

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--


The second variable, 'extlang', also can be used for the file inclusion
and before r6886 there was the programming error: patch for locales.php
r6593 included wrong validation condition for 'extlang':
-----
if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['srclang']) && ($_REQUEST['extlang'] != 'new'))
-----
This was fixed in revision 6886 of branches/1.6.


IV. DETECTION

Zabbix 1.6.2 and possibly earlier versions are vulnerable.

V. WORKAROUND

Update zabbix from svn the server (svn://svn.zabbix.com) or download
version 1.6.3 when aviable.


Be sure to update to the r6886 or later, otherwise LFI will still
be possible.
-- 
Eygene

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]