Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities

To: ascii <ascii@xxxxxxxxxxxx>
Subject: Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities
From: Eygene Ryabinkin <rea-sec@xxxxxxxxxxx>
Date: Mon, 9 Mar 2009 14:59:00 +0300
Cc: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, Full-Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, Vulnerability Information Managers <vim@xxxxxxxxxxxxx>, Vulnwatch <vulnwatch@xxxxxxxxxxxxx>, News Securiteam <news@xxxxxxxxxxxxxx>, Security Tracker <bugs@xxxxxxxxxxxxxxxxxxx>, Secunia Research <vuln@xxxxxxxxxxx>
Domainkey-signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=eFrNSpJ0ZlQVKhimvDdsTjRnVsQPW//ueBfhqsfCVPhnTZGR1+kLFYm7d9/epJMATs9cih8PdN8tFpdkMnR8BWcrYh42mt/LAeuRfZgCAccCnssZ+nIiXdtvblxyzikF8xdLi3p5BtB4dnuv0VBWymFQJmiDn9qmU/Cr1BCxjOU=;
In-reply-to: <49AD4D12.7000601@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <49AD4D12.7000601@xxxxxxxxxxxx>
Reply-to: rea-sec@xxxxxxxxxxx
Sender: rea-sec@xxxxxxxxxxx

Good day.

Small addition to the advisory.

Tue, Mar 03, 2009 at 03:30:26PM +0000, ascii wrote:
> Zabbix 1.6.2 Frontend Multiple Vulnerabilities
[...]
> C) Local File Inclusion
> 
> If the user is authenticated, a Local File Inclusion vulnerability
> exists in file "locales.php".
> 
> The following URL exploits this vulnerability:
> 
> /locales.php?action=1&next=1&srclang=../validate&extlang=en
> 
> A string in the form of ".inc.php" is automatically appended to the
> local file path. Despite that it's possible to include every target
> file truncating the filename using %00 (nullbyte):
> 
> /locales.php?next=1&srclang=../../../../../../../var/log/apache2/error_log%00%22
> 
> Nullbyte injection normally requires magic quotes off.
> 
> The vulnerable code is the following:
> 
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
> 
>  'srclang'=> array(T_ZBX_STR, O_OPT, NULL, NOT_EMPTY, 'isset({next})'),
> [...]
> else if(isset($_REQUEST['next'])){
> [...]
>  $fileFrom = 'include/locales/'.$_REQUEST['srclang'].".inc.php";
>   if(file_exists($fileFrom)){
>    include($fileFrom);
> 
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The second variable, 'extlang', also can be used for the file inclusion
and before r6886 there was the programming error: patch for locales.php
r6593 included wrong validation condition for 'extlang':
-----
if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['srclang']) && ($_REQUEST['extlang'] != 
'new'))
-----
This was fixed in revision 6886 of branches/1.6.

> IV. DETECTION
> 
> Zabbix 1.6.2 and possibly earlier versions are vulnerable.
> 
> V. WORKAROUND
> 
> Update zabbix from svn the server (svn://svn.zabbix.com) or download
> version 1.6.3 when aviable.

Be sure to update to the r6886 or later, otherwise LFI will still
be possible.
-- 
Eygene

References:
- Zabbix 1.6.2 Frontend Multiple Vulnerabilities
  - From: ascii

Prev by Date: Re: Vulnerability CVE-2008-3671 - MyReview's vulnerability in the access control system
Next by Date: Secunia Research: Foxit Reader JBIG2 Symbol Dictionary Processing Vulnerability
Previous by thread: Re: [Full-disclosure] Zabbix 1.6.2 Frontend Multiple Vulnerabilities
Next by thread: [SECURITY] [DSA 1733-1] New vim packages fix multiple vulnerabilities
Index(es):
- Date
- Thread