These URL's are vulnerable to persistent XSS attacks due to improper sanitation of gname variable when creating user and host groups. URL: hostgroups.php usergrps.php Vulnerable parameter: gname Method: POST Injected: "</options><script>alert('XSS')</script> Persists in: http://test/zabbix/hostgroups.php http://test/zabbix/users.php http://test/zabbix/hosts.php?form=update&hostid=N (where N is a valid hostid) http://test/zabbix/scripts.php?form=1&scriptid=N (where N is a valid scriptid) http://test/zabbix/maintenance.php Reproducible: Didn't try
Solution: upgrade to 1.8.10
Sorry Tomasz, there is not an ebuild in tree and there is not A
@{patrick,matt} we stabilize here, and make the precedent security bug as stable blocked.
+*zabbix-1.8.10 (30 Dec 2011) + + 30 Dec 2011; Lars Wendler <polynomial-c@gentoo.org> + -zabbix-1.8.10_rc1.ebuild, +zabbix-1.8.10.ebuild: + non-maintainer commit: Version bump (with kind permission from bonsaikitten). + Removed old. This fixes bug #395975 and should help solving bug #396495. +
Thanks, Lars. Can we move forward to stabilize =net-analyzer/zabbix-1.8.10-r1?
I've briefly reviewed the two non-maintainer commits made in the last 24hrs - the first commit to fix for 1.8.10 and patch handling, and the 2nd to update init scripts to reflect recent syntax changes. Both changes seem to be correct to me after my review (the first I went over in detail last night, the 2nd I just glanced at this evening). I haven't had time yet to test the init script changes in the 2nd commit, but I assume the commiter did test. In that case, since 1.8.10 includes important security changes, stabilizing would likely be warranted -- I'd recommend we wait 24hrs to see if any new bugs are opened relating to either commit before marking stable though.
CVE-2011-5027 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5027): Cross-site scripting (XSS) vulnerability in ZABBIX before 1.8.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the profiler.
(In reply to comment #6) > I'd recommend we wait 24hrs to see if any new bugs are opened > relating to either commit before marking stable though. Shall we go? Thanks.
Yes - we're a go for 1.8.10-r1 - I'm not aware of any new bugs for it despite being in tree for a few days and it should resolve several known vulnerabilities. Let's put it out there.
Great, thank you. Arches, please test and mark stable: =net-analyzer/zabbix-1.8.10-r1 Target keywords : "amd64 x86"
amd64 stable
x86 stable
Thanks, folks. Closing noglsa for XSS.