Fedora has issued an advisory on August 22: http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085844.html Mageia 2 is also affected.
CC: (none) => mitya
Whiteboard: (none) => MGA2TOO
Created attachment 2762 [details] zabbix-1.8.2-CVE-2012-3435.patch Debian has issued an advisory for this today (September 6): http://www.debian.org/security/2012/dsa-2539 Interestingly, they haven't fixed it yet in wheezy, which has the same zabbix version we do (1.8.11). Also, the patch they used is different than the suggested patch for 1.8.x linked by RedHat (which is here): https://gist.github.com/3181678 I've attached Debian's patch for 1.8.2.
Severity: normal => major
Assignee: bugsquad => mitya
CC: (none) => oe
An update has been uploaded for Mageia 2 by Dimitri. This can be assigned to QA when he confirms it's ready and it's been updated in Cauldron too. Packages built: zabbix-1.8.15-1.mga2 zabbix-agent-1.8.15-1.mga2 zabbix-web-1.8.15-1.mga2 from zabbix-1.8.15-1.mga2.src.rpm
David, I'm working on Zabbix 2.0.4 package now (for inclusion into Mageia 3), and it's going to take some time. I think there is no need for Mga2 update to wait, so it can be pushed now.
Ahh yes, I remember you telling me that on IRC now. Thanks Dimitri! Assigning to QA. Advisory: ======================== Updated zabbix packages fix security vulnerability: SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter (CVE-2012-3435). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3435 http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085844.html ======================== Updated packages in core/updates_testing: ======================== zabbix-1.8.15-1.mga2 zabbix-agent-1.8.15-1.mga2 zabbix-web-1.8.15-1.mga2 from zabbix-1.8.15-1.mga2.src.rpm
Version: Cauldron => 2Assignee: mitya => qa-bugsWhiteboard: MGA2TOO => (none)
Possible PoC: http://www.exploit-db.com/exploits/20087/
PoC seems unrelated but is linked from the zabbix bug https://support.zabbix.com/browse/ZBX-5348
Same PoC found at: http://www.securityfocus.com/bid/54661/exploit
Before ------ Installed zabbix & zabbix-web, browsed to http://localhost/zabbix and created the db with phpmyadmin. It's necessary to chmod 777 /usr/share/zabbix/conf to allow it to save the config file. chmod back to 755 afterwards. After completing the web based installation successfully when it moves on to the login page it shows alot of mysql errors at the top of the page. Checking with phpmyadmin shows the zabbix db is empty, despite the connection test succeeding. Tried also with skip-networking disabled. # systemctl start zabbix.service started OK Not sure how to proceed. I'll test with the updated packages.
Same problem with updated packages Testing was mga2 32 btw
Whiteboard: (none) => feedback
(In reply to comment #8) > After completing the web based installation successfully when it moves on to > the login page it shows alot of mysql errors at the top of the page. Claire, Have you created database structure and performed initial population? You will need to manually execute 3 SQL scripts for that. Please see http://www.zabbix.com/documentation/1.8/manual/installation (4.3 Zabbix Server, Step 3). SQL scripts are shipped in /usr/share/doc/zabbix/create directory.
Thanks Dimitri, that was quick :)
Whiteboard: feedback => (none)
The package has been updated to include a short READMI.urpmi clarifying that one needs to run SQL scripts manually to complete Zabbix installation.
Thanks Dimitri! New srpm zabbix-1.8.15-2.mga2
Thanks Dimitri. Reposting the advisory with the updated package version. Advisory: ======================== Updated zabbix packages fix security vulnerability: SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter (CVE-2012-3435). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3435 http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085844.html ======================== Updated packages in core/updates_testing: ======================== zabbix-1.8.15-2.mga2 zabbix-agent-1.8.15-2.mga2 zabbix-web-1.8.15-2.mga2 from zabbix-1.8.15-2.mga2.src.rpm
*** Bug 8458 has been marked as a duplicate of this bug. ***
In http://127.0.0.1/zabbix/setup.php, I'm getting a message date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead [include/page_header.php:145] Also, in the "Check of pre-requisites", I'm getting a fail on PHP timezone The php-timezonedb package is installed, so I'm not sure what's needed to fix these problems.
CC: (none) => davidwhodgins
Ignore Comment 16. Figured out I had to set the date.timezone in /etc/php.ini
On the login screen, I'm now getting an error include(): Failed opening 'schema.inc.php' for inclusion (include_path='.:/usr/lib/php/:/usr/share/pear/:/usr/share/php/') [.php:1163] I've manually added /usr/share/zabbix/include/ to the include_path in /etc/php.ini to get rid of that error. (I'm still working with the Core Release version, to see if I can get the poc to work).
Found out the db user/password have to be set in /etc/zabbix/zabbix_server.conf, as well as in the web interface.
Created attachment 3302 [details] POC python script with indenting fixed. After fixing the indentation of the POC script, so that it'll at least run, the output with the Core Release version is $ python zabbix.test.py [*] Zabbix 2.0.1 Session Extractor 0day [*] http://www.offensive-security.com ################################## [*] Searching sessions belonging to id 1 And that's it. I'll install the update now, and see if there's any difference.
No difference after updating, but it looks to me like the poc is not valid. As this is a security update, and the packages are working, on both i586 and x86-64, I'll go ahead and validate the update. Could someone from the sysadmin team push the srpm zabbix-1.8.15-2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated zabbix packages fix security vulnerability: SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter (CVE-2012-3435). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3435 http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085844.html https://bugs.mageia.org/show_bug.cgi?id=7277
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0370
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED