Zabbix Web Interface extlang[] Parameter Remote Code Execution

high Nessus Plugin ID 35787

Synopsis

The remote web server hosts a PHP application that is prone to a remote command execution attack.

Description

The remote web server hosts a version of the Zabbix web interface that is affected by a remote code execution vulnerability. The vulnerability involves the 'extlang[]' parameter of the 'locales.php' script.
Provided PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated, remote attacker can exploit this to execute arbitrary code on the remote host subject to the privileges of the web server user id.

Note that this version of the Zabbix web interface is also likely affected by a local file include vulnerability and a cross-site request forgery vulnerability.

Solution

Upgrade to Zabbix 1.6.3 or later.

See Also

https://www.securityfocus.com/archive/1/501400/30/0/threaded

https://www.zabbix.com/rn/rn1.6.3

Plugin Details

Severity: High

ID: 35787

File Name: zabbix_frontend_remote_code.nasl

Version: 1.20

Type: remote

Family: CGI abuses

Published: 3/7/2009

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:zabbix:zabbix

Required KB Items: www/zabbix

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Reference Information

BID: 33965

SECUNIA: 34091