Package: zabbix-frontend-php Version: 1:2.2.7+dfsg-2+deb8u1 Severity: grave Tags: security Justification: user security hole
Dear Maintainer, Bug in zabbix (ZBX-11023 SQL injection vulnerabilities in "Latest data") allow to execute code on remote system. It's not a dublicate of Debian bug #842702 zabbix: CVE-2016-9140: API JSON-RPC remote code execution ZBX-11023 allows to execute code even for guest user. I had zabbix available from web with enabled guest user. During investigation i found requests from sqlmap software in apache log, new scripts was configured via zabbix web interface by Admin user (password was untouched and hard to guess), many malicious scripts in /tmp and few spam sending processes. -- System Information: Debian Release: 8.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/16 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages zabbix-frontend-php depends on: ii apache2 [httpd] 2.4.10-10+deb8u7 ii php5 5.6.29+dfsg-0+deb8u1 ii php5-gd 5.6.29+dfsg-0+deb8u1 ii php5-mysql 5.6.29+dfsg-0+deb8u1 ii php5-pgsql 5.6.29+dfsg-0+deb8u1 ii ttf-dejavu-core 2.34-1 ii ucf 3.0030 Versions of packages zabbix-frontend-php recommends: ii php5-ldap 5.6.29+dfsg-0+deb8u1 Versions of packages zabbix-frontend-php suggests: ii libapache2-mod-php5 5.6.29+dfsg-0+deb8u1 -- no debconf information -- debsums errors found: debsums: changed file /usr/share/doc/zabbix-frontend-php/examples/apache.conf (from zabbix-frontend-php package) _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
