[Owasp-cuiaba] Fwd: [oss-security] Zabbix SQL injection flaw (CVE request)

Kembolle Amilkar haxorcoding em gmail.com
Sábado Julho 28 01:37:45 UTC 2012


*Att. Kembolle Amilkar *
#/[ kembolle.com.br <http://www.kembolle.com.br> ] - Consultoria Segurança
da Informação.
#/ [ samurayconsultoria.com.br ] - Chief Security Officer - Samuray
#/ Systems Analyst | Esp. Information Security | Computer Forensic Expert |
#/ Owasp Chapter Lider Cuiabá - https://www.owasp.org/index.php/Cuiaba
#/ Mobile: [65] 9979-2925  && contato[at]kembolle.com.br.

Could a CVE be assigned to this please?

An SQL injection flaw was found in Zabbix, where input passed via the
"itemid" parameter to popup_bitem.php is not properly sanitized before
being used in an SQL query.

The report was against version 2.0.1, but the upstream bug report [1]
indicates this also affects 1.8.x.  Upstream has patched [2] this, and
there is a potential patch for 1.8.x [3].

[1] https://support.zabbix.com/**browse/ZBX-5348<https://support.zabbix.com/browse/ZBX-5348>
[2] http://git.zabbixzone.com/**zabbix2.0/.git/commit/**
[3] https://gist.github.com/**3181678 <https://gist.github.com/3181678>

Other references:



Vincent Danen / Red Hat Security Response Team
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://lists.owasp.org/pipermail/owasp-cuiaba/attachments/20120727/f4656576/attachment.html>

More information about the Owasp-cuiaba mailing list