lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <RXWbe1QUm1Dt0MhKb87puulEh7Q@gbU35ZqJZ8emv+BtWwYtammwmJ4> Date: Mon, 9 Mar 2009 14:59:00 +0300 From: Eygene Ryabinkin <rea-sec@...elabs.ru> To: ascii <ascii@...amail.com> Cc: Bugtraq <bugtraq@...urityfocus.com>, Full-Disclosure <full-disclosure@...ts.grok.org.uk>, Vulnerability Information Managers <vim@...rition.org>, Vulnwatch <vulnwatch@...nwatch.org>, News Securiteam <news@...uriteam.com>, Security Tracker <bugs@...uritytracker.com>, Secunia Research <vuln@...unia.com> Subject: Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities Good day. Small addition to the advisory. Tue, Mar 03, 2009 at 03:30:26PM +0000, ascii wrote: > Zabbix 1.6.2 Frontend Multiple Vulnerabilities [...] > C) Local File Inclusion > > If the user is authenticated, a Local File Inclusion vulnerability > exists in file "locales.php". > > The following URL exploits this vulnerability: > > /locales.php?action=1&next=1&srclang=../validate&extlang=en > > A string in the form of ".inc.php" is automatically appended to the > local file path. Despite that it's possible to include every target > file truncating the filename using %00 (nullbyte): > > /locales.php?next=1&srclang=../../../../../../../var/log/apache2/error_log%00%22 > > Nullbyte injection normally requires magic quotes off. > > The vulnerable code is the following: > > --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- > > 'srclang'=> array(T_ZBX_STR, O_OPT, NULL, NOT_EMPTY, 'isset({next})'), > [...] > else if(isset($_REQUEST['next'])){ > [...] > $fileFrom = 'include/locales/'.$_REQUEST['srclang'].".inc.php"; > if(file_exists($fileFrom)){ > include($fileFrom); > > --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- The second variable, 'extlang', also can be used for the file inclusion and before r6886 there was the programming error: patch for locales.php r6593 included wrong validation condition for 'extlang': ----- if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['srclang']) && ($_REQUEST['extlang'] != 'new')) ----- This was fixed in revision 6886 of branches/1.6. > IV. DETECTION > > Zabbix 1.6.2 and possibly earlier versions are vulnerable. > > V. WORKAROUND > > Update zabbix from svn the server (svn://svn.zabbix.com) or download > version 1.6.3 when aviable. Be sure to update to the r6886 or later, otherwise LFI will still be possible. -- Eygene
Powered by blists - more mailing lists