Description

Zabbix frontend supported an XML data import feature, where on the server it used DOMDocument to parse the XML. By default, DOMDocument also parses the external DTD, which could allow a remote attacker to use a crafted XML file causing Zabbix to read an arbitrary local file, and send the contents of the specified file to a remote server.

Affected versions: 1.8.19, 1.8.20, 2.0.9, 2.0.10, 2.0.11rc2, 2.0.11, 2.2.2, 2.2.3rc1, 2.2.3rc2, 2.2.3

Remediation

Upgrade to the latest version of Zabbix (this issue was fixed in version 2.3.2).

References

Zabbix 1.8.x-2.2.x Local File Inclusion via XXE Attack

Related Vulnerabilities

Subscribe to Comments Local File Inclusion (2.1.2)

Eventify-Simple Events 'npath' Parameter Remote File Include (1.7.g)

Easy Forms for MailChimp Local File Inclusion (6.0.5.5)

Joomla! Core 3.x.x Remote File Inclusion (3.0.0 - 3.2.5)

BackUpWordPress Remote File Inclusion (0.4.2b)

Severity

High

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Tags

File Inclusion XXE