store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Mon May 20, 2013 11:36 am

View unanswered posts | View active topics


Board index » Customer Support Forums » Security Alerts

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]



Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 4 posts ] 
  Print view Previous topic | First unread post | Next topic 
Author Message
npavlidis
 Post subject: Zabbix SQL injection
Unread postPosted: Tue Dec 13, 2011 4:59 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Jun 04, 2006 10:03 am
Posts: 122
SQL injection vulnerability in popup.php in Zabbix 1.8.3 and 1.8.4, and possibly other versions before 1.8.9, allows remote attackers to execute arbitrary SQL commands via the only_hostid parameter.

https://support.zabbix.com/browse/ZBX-4385
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4674

Solution: Upgrade to version 1.8.9 that has just come out.
Top
 Profile  
 
mikeshinn
 Post subject: Re: Zabbix SQL injection
Unread postPosted: Tue Dec 13, 2011 8:38 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3243
Location: Chantilly, VA
Thanks for letting everyone know. ASL, the real time rules and the free rules all protect against this attack. So if you are using any of those, and you havent disabled any of your SQL protection rules, then you are protected from this attack. With that said, we are strong proponents of defense in depth and recommend you upgrade Zabbix when you can even though you may already be protected from this attack.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.

Top
 Profile  
 
npavlidis
 Post subject: Re: Zabbix SQL injection
Unread postPosted: Wed Dec 14, 2011 7:47 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Jun 04, 2006 10:03 am
Posts: 122
Thanks for the reply Mike I was 99.9% sure that ASL blocked the attack :)
To reveal my "agenda"... I was mostly hinting Scott to update the rpms in the atomic repository :D

Cheers,

Nik
Top
 Profile  
 
biggles
 Post subject: Re: Zabbix SQL injection
Unread postPosted: Fri Dec 16, 2011 6:05 am 
Online
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 704
Location: Sweden
npavlidis wrote:
Thanks for the reply Mike I was 99.9% sure that ASL blocked the attack :)
To reveal my "agenda"... I was mostly hinting Scott to update the rpms in the atomic repository :D

Cheers,

Nik


+1
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 4 posts ] 

Board index » Customer Support Forums » Security Alerts

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group