[Owasp-cuiaba] Fwd: [oss-security] Zabbix SQL injection flaw (CVE request)

Kembolle Amilkar haxorcoding em gmail.com
Sábado Julho 28 01:37:45 UTC 2012


encaminhando...

*Att. Kembolle Amilkar *
#/[ kembolle.com.br <http://www.kembolle.com.br> ] - Consultoria Segurança
da Informação.
#/ [ samurayconsultoria.com.br ] - Chief Security Officer - Samuray
Consultoria.
#/ Systems Analyst | Esp. Information Security | Computer Forensic Expert |
#/ Owasp Chapter Lider Cuiabá - https://www.owasp.org/index.php/Cuiaba
#/ Mobile: [65] 9979-2925  && contato[at]kembolle.com.br.
**



Could a CVE be assigned to this please?

An SQL injection flaw was found in Zabbix, where input passed via the
"itemid" parameter to popup_bitem.php is not properly sanitized before
being used in an SQL query.

The report was against version 2.0.1, but the upstream bug report [1]
indicates this also affects 1.8.x.  Upstream has patched [2] this, and
there is a potential patch for 1.8.x [3].

[1] https://support.zabbix.com/**browse/ZBX-5348<https://support.zabbix.com/browse/ZBX-5348>
[2] http://git.zabbixzone.com/**zabbix2.0/.git/commit/**
333a3a5542ba8a2c901c24b7bf5440**f41f1f4f54<http://git.zabbixzone.com/zabbix2.0/.git/commit/333a3a5542ba8a2c901c24b7bf5440f41f1f4f54>
[3] https://gist.github.com/**3181678 <https://gist.github.com/3181678>

Other references:

https://bugzilla.redhat.com/**show_bug.cgi?id=843927<https://bugzilla.redhat.com/show_bug.cgi?id=843927>
https://bugs.gentoo.org/show_**bug.cgi?id=428372<https://bugs.gentoo.org/show_bug.cgi?id=428372>

Thanks.

-- 
Vincent Danen / Red Hat Security Response Team
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://lists.owasp.org/pipermail/owasp-cuiaba/attachments/20120727/f4656576/attachment.html>


More information about the Owasp-cuiaba mailing list