edit-icon download-icon

[Vulnerability notice] Web SQL injection vulnerability in jsrpc.php in Zabbix

Last Updated: May 07, 2018

Description

Zabbix is an enterprise open source monitoring software for networks and applications.

The profileIdx2 parameter in jsrpc.php under the Zabbix directory does not impose tight filtering policies for some parameters.

Attackers can construct a malicious request and use the guest account permissions in Zabbix to start web SQL injection attacks on the website, and to further steal the website data or break into the server.

Affected versions

  • Zabbix 2.0.x
  • Zabbix 2.2.x
  • Zabbix 2.4.x
  • Zabbix 3.0.0 - 3.0.3

Fix

  • Use Alibaba Cloud Security Web Application Firewall to intercept the attacking code for this vulnerability.

  • Upgrade Zabbix to the latest version from the official website.

  • If you do not need to use the Zabbix Guest account, we recommend that you disable it.

Thank you! We've received your feedback.