|
Feeds -
Exploits
|
|
Written by Antonio 's4tan' Parata, Francesco 'ascii' Ongaro and Giovanni'evilaliv3' Pellerano
|
|
Wednesday, 04 March 2009 21:58 |
ZABBIX 'locales.php' Local File Include and Remote Code Execution Vulnerability
-\\Bugtraq ID:
33965
-\\Class:
Input Validation Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Mar 03 2009 12:00AM
-\\Updated:
Mar 04 2009 01:37PM
-\\Credit:
Antonio 's4tan' Parata, Francesco 'ascii' Ongaro and Giovanni'evilaliv3' Pellerano
-\\Vulnerable:
ZABBIX ZABBIX 1.6.2
-\\Not Vulnerable:
ZABBIX ZABBIX 1.6.3
-\\Discussion
ZABBIX is prone to a local-file include vulnerability and a remote code-execution vulnerability that occurs in the front end web interface.
Attackers can exploit these issues to execute arbitrary code within the context of the webserver or gain access to sensitive information. Other attacks are also possible.
ZABBIX 1.6.2 is vulnerable; prior versions may also be affected.
-\\Exploit(s)/PoC(s):
Attackers can exploit these issues via a browser.
The following proof-of-concept URI is available:
http://www.example.com/locales.php?download&langTo&extlang[".phpinfo()."]=1
-\\Solution
Reports indicate that these issues have been fixed. Please see the references for more information.
-\\References(s)
--ZABBIX Home Page
http://www.zabbix.com/index.ph (ZABBIX)
--Zabbix 1.6.2 Frontend Multiple Vulnerabilities
http://www.securityfocus.com/archive/1/50140 (ascii <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
|
