Zabbix 'only_hostid' Parameter SQL Injection Vulnerability Network Vulnerability

Summary

This host is running Zabbix and is prone to SQL injection vulnerability.

Impact

Successful exploitation will allow attacker to perform SQL Injection attack and gain sensitive information. Impact Level: Application

Solution

Upgrade to Zabbix version 1.8.9 or later For updates refer to http://www.zabbix.com/index.php

Insight

The flaw is due to improper validation of user-supplied input passed via the 'only_hostid' parameter to 'popup.php', which allows attackers to manipulate SQL queries by injecting arbitrary SQL code.

Affected

Zabbix version 1.8.4 and prior

References

http://secunia.com/advisories/45502/
http://www.exploit-db.com/exploits/18155/
http://xforce.iss.net/xforce/xfdb/71479
https://support.zabbix.com/browse/ZBX-4385

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4674

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

AjaxPortal 'di.php' File Inclusion Vulnerability
ASAS Server End User Self Service (EUSS) SQL Injection Vulnerability
AlienVault OSSIM 'date_from' Parameter Multiple SQL Injection Vulnerabilities
Atlassian JIRA FishEye and Crucible Plugins XML Parsing Unspecified Security Vulnerability
Adiscon LogAnalyzer Multiple SQL Injection and XSS Vulnerabilities

Take action and discover your vulnerabilities