Zabbix < 1.8.18 / 2.0.9 Multiple SQL Injection Vulnerabilities
Medium Nessus Network Monitor Plugin ID 8049
SynopsisThe remote host is running a web application that is vulnerable to a SQL-injection attack.
DescriptionThe remote host is running Zabbix, an IT monitoring service. Versions of Zabbix earlier than 1.8.18 or 2.0.9 are contain a number of SQL injection vulnerabilities via the API and web front end. The following API methods are reported to be vulnerable:
- alert.get: time_from, time_till;
- event.get: object, source, eventid_from, eventid_till;
- graphitem.get: parameter: type;
- graph.get: parameter: type;
- graphprototype.get: parameter: type;
- history.get: parameter: time_from, time_till;
- trigger.get: parameter: lastChangeSince, lastChangeTill, min_severity;
- triggerprototype.get: parameter: min_severity;
- usergroup.get: parameter: status
Other pages vulnerable to SQL injection include the "Dashboard", "Graphs", "Maps", "Latest data" and "Screens" pages in the "Monitoring" section. Successful attacks allow an attacker to gain access to the database and execute arbitrary SQL statements.
SolutionUpgrade to Zabbix 2.0.9 / 1.8.18 or later. Additionally, patches are available for versions 2.0.8 / 1.8.17 / 1.8.2.