ZABBIX 'locales.php' 'extlang' Parameter Remote Code Execution Network Vulnerability

Summary

ZABBIX is prone to a Remote Code Execution. Input passed to the 'extlang' parameter in 'locales.php' is not properly sanitised before being used to process data. This can be exploited to execute arbitrary commands via specially crafted requests. ZABBIX 1.6.2 and possibly earlier versions are vulnerable.

Solution

Updates are available. Please see the references for more information.

References

http://www.ush.it/team/ush/hack-zabbix_162/adv.txt
http://www.zabbix.com/

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 9.7
AV:N/AC:L/Au:N/C:P/I:C/A:C

Related Vulnerabilities

Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
68designs 68kb Multiple Remote File Include Vulnerabilities
Atutor AChecker Multiple SQL Injection and XSS Vulnerabilities
AlienVault OSSIM SQL Injection and Remote Code Execution Vulnerabilities
artmedic_links5 File Inclusion Vulnerability

Take action and discover your vulnerabilities