[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <RXWbe1QUm1Dt0MhKb87puulEh7Q@gbU35ZqJZ8emv+BtWwYtammwmJ4>
Date: Mon, 9 Mar 2009 14:59:00 +0300
From: Eygene Ryabinkin <rea-sec@...elabs.ru>
To: ascii <ascii@...amail.com>
Cc: Bugtraq <bugtraq@...urityfocus.com>,
Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
Vulnerability Information Managers <vim@...rition.org>,
Vulnwatch <vulnwatch@...nwatch.org>,
News Securiteam <news@...uriteam.com>,
Security Tracker <bugs@...uritytracker.com>,
Secunia Research <vuln@...unia.com>
Subject: Re: Zabbix 1.6.2 Frontend Multiple Vulnerabilities
Good day.
Small addition to the advisory.
Tue, Mar 03, 2009 at 03:30:26PM +0000, ascii wrote:
> Zabbix 1.6.2 Frontend Multiple Vulnerabilities
[...]
> C) Local File Inclusion
>
> If the user is authenticated, a Local File Inclusion vulnerability
> exists in file "locales.php".
>
> The following URL exploits this vulnerability:
>
> /locales.php?action=1&next=1&srclang=../validate&extlang=en
>
> A string in the form of ".inc.php" is automatically appended to the
> local file path. Despite that it's possible to include every target
> file truncating the filename using %00 (nullbyte):
>
> /locales.php?next=1&srclang=../../../../../../../var/log/apache2/error_log%00%22
>
> Nullbyte injection normally requires magic quotes off.
>
> The vulnerable code is the following:
>
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
>
> 'srclang'=> array(T_ZBX_STR, O_OPT, NULL, NOT_EMPTY, 'isset({next})'),
> [...]
> else if(isset($_REQUEST['next'])){
> [...]
> $fileFrom = 'include/locales/'.$_REQUEST['srclang'].".inc.php";
> if(file_exists($fileFrom)){
> include($fileFrom);
>
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
The second variable, 'extlang', also can be used for the file inclusion
and before r6886 there was the programming error: patch for locales.php
r6593 included wrong validation condition for 'extlang':
-----
if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['srclang']) && ($_REQUEST['extlang'] != 'new'))
-----
This was fixed in revision 6886 of branches/1.6.
> IV. DETECTION
>
> Zabbix 1.6.2 and possibly earlier versions are vulnerable.
>
> V. WORKAROUND
>
> Update zabbix from svn the server (svn://svn.zabbix.com) or download
> version 1.6.3 when aviable.
Be sure to update to the r6886 or later, otherwise LFI will still
be possible.
--
Eygene
Powered by blists - more mailing lists