Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 379693 (CVE-2011-2904) - <net-analyzer/zabbix-1.8.6 Cross-Site Scripting Vulnerability (CVE-2011-{2904,3264})
Summary: <net-analyzer/zabbix-1.8.6 Cross-Site Scripting Vulnerability (CVE-2011-{2904...
Status: RESOLVED FIXED
Alias: CVE-2011-2904
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://support.zabbix.com/browse/ZBX...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-18 10:43 UTC by Agostino Sarubbo
Modified: 2011-10-07 23:15 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-08-18 10:43:42 UTC
A vulnerability has been reported in Zabbix, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "backurl" parameter in acknow.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in versions prior to 1.8.6.


Solution:'
Update to version 1.8.6.
Comment 1 Matthew Marlowe (RETIRED) gentoo-dev 2011-08-27 05:54:21 UTC
Updated ebuild fixing this security vulnerability has been committed in testing mode for the relevant arches in portage:

<CIA-100> mattm * gentoo-x86/net-analyzer/zabbix/ (ChangeLog zabbix-1.8.6.ebuild): 
<CIA-100> Bump Zabbix 1.8.6, Fix Security Bug #379693
<CIA-100> (Portage version: 2.1.10.11/cvs/Linux x86_64)
<willikins> CIA-100: https://bugs.gentoo.org/379693 "<net-analyzer/zabbix-1.8.6 Cross-Site Scripting Vulnerability"; Gentoo Security, Vulnerabilities; IN_P; ago:security
Comment 2 Agostino Sarubbo gentoo-dev 2011-08-27 09:39:23 UTC
Thanks Matthew;

arches, please test and mark stable:

=net-analyzer/zabbix-1.8.6
target KEYWORDS : "amd64 ppc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-08-27 10:18:44 UTC
ok on server environment, so bug 376865 is also valid for 1.8.6 (if maintainer wants fix)

amd64 ok
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-08-27 17:39:36 UTC
x86 stable
Comment 5 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-08-27 19:54:58 UTC
amd64: pass.

NB: I think there should be someway to alert the use of multiple databases instead of a make failure.
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-27 20:14:53 UTC
ppc keywords dropped
Comment 7 Matthew Marlowe (RETIRED) gentoo-dev 2011-08-27 20:32:16 UTC
> ok on server environment, so bug 376865 is also valid for 1.8.6 (if maintainer
> wants fix)
> 

Thanks -- haven't had a chance to look at that bug yet, just recently took over maintenance of this package from Patrick.  I'll try to get around to that bug in near future, but I don't think it warrants any delays in stabilizing security bug.
Comment 8 Matthew Marlowe (RETIRED) gentoo-dev 2011-08-27 20:34:36 UTC
(In reply to comment #5)
> amd64: pass.
> 
> NB: I think there should be someway to alert the use of multiple databases
> instead of a make failure.

Agreed -- the database logic seemed a little wierd to me on the ebuild too, I just took over maintenance of the package so I will look at it later, but I don't think this is an issue that should get in the way of stabilizing security fix, especially as the current stable ebuild has same logic.
Comment 9 Tony Vroon (RETIRED) gentoo-dev 2011-08-28 22:26:18 UTC
+  28 Aug 2011; Tony Vroon <chainsaw@gentoo.org> zabbix-1.8.6.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah El Lazkani in security bug #379693.

Stabilisation is complete.
Security, please initiate GLSA voting procedures.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-08-28 22:36:30 UTC
Thanks, Tony, folks. No vote is required for XSS vulnerabilities.

Closing noglsa for XSS.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 23:15:43 UTC
CVE-2011-3264 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3264):
  Zabbix before 1.8.6 allows remote attackers to obtain sensitive information
  via an invalid srcfld2 parameter to popup.php, which reveals the
  installation path in an error message.