Detections
Analytics

Zabbix Web Interface extlang[] Parameter Remote Code Execution

high Nessus Plugin ID 35787

Language:

Synopsis

The remote web server hosts a PHP application that is prone to a remote command execution attack.

Description

The remote web server hosts a version of the Zabbix web interface that is affected by a remote code execution vulnerability. The vulnerability involves the 'extlang[]' parameter of the 'locales.php' script.
Provided PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated, remote attacker can exploit this to execute arbitrary code on the remote host subject to the privileges of the web server user id.

Note that this version of the Zabbix web interface is also likely affected by a local file include vulnerability and a cross-site request forgery vulnerability.

Solution

Upgrade to Zabbix 1.6.3 or later.

See Also

https://www.securityfocus.com/archive/1/501400/30/0/threaded

https://www.zabbix.com/rn/rn1.6.3

Plugin Details

Severity: High

ID: 35787

File Name: zabbix_frontend_remote_code.nasl

Version: 1.21

Type: remote

Family: CGI abuses

Published: 3/7/2009

Updated: 4/4/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis of the vendor advisory.

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: manual

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:zabbix:zabbix

Required KB Items: www/zabbix

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Reference Information

BID: 33965

SECUNIA: 34091