Zabbix 'only_hostid' Parameter SQL Injection Vulnerability Network Vulnerability

Summary

This host is running Zabbix and is prone to SQL injection vulnerability.

Impact

Successful exploitation will allow attacker to perform SQL Injection attack and gain sensitive information. Impact Level: Application

Solution

Upgrade to Zabbix version 1.8.9 or later For updates refer to http://www.zabbix.com/index.php

Insight

The flaw is due to improper validation of user-supplied input passed via the 'only_hostid' parameter to 'popup.php', which allows attackers to manipulate SQL queries by injecting arbitrary SQL code.

Affected

Zabbix version 1.8.4 and prior

References

http://secunia.com/advisories/45502/
http://www.exploit-db.com/exploits/18155/
http://xforce.iss.net/xforce/xfdb/71479
https://support.zabbix.com/browse/ZBX-4385

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4674
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache Struts ClassLoader Manipulation Vulnerabilities
ActivePerl perlIS.dll Buffer Overflow
admin.cgi overflow
Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability
appRain CMF SQL Injection And Cross Site Scripting Vulnerabilities

Take action and discover your vulnerabilities