Jan
14
2010
NGENUITY-2010-001 Zenoss getJSONEventsInfo SQL Injection
nGenuity Information Services – Security Advisory
Advisory ID: NGENUITY-2010-001 - Zenoss getJSONEventsInfo SQL Injection Application: Zenoss 2.3.3 Vendor: Zenoss Vendor website: http://www.zenoss.com Author: Adam Baldwin (adam_baldwin@ngenuity-is.com) BID: 37802 I. BACKGROUND "Zenoss Core is an award-winning open source IT monitoring product that effectively manages the configuration, health and performance of networks, servers and applications through a single, integrated software package." [1] II. DETAILS getJSONEventsInfo contains multiple SQL Injection vulnerabilities due to improperly sanitized user provided input. The following URL parameters are injectable: severity, state, filter, offset, and count. Authentication as an admin or regular user is required for successful exploitation. Depending on the type of attack, it may also be accomplished via Cross-Site Request Forgery (CSRF). A proof of concept request might look like this /zport/dmd/Events/getJSONEventsInfo?severity=1&state=1&filter=& offset=0&count=60 into outfile "/tmp/z"
III. REFERENCES
[1] - http://www.zenoss.com
IV. VENDOR COMMUNICATION
3.10.2009 - Vulnerability Discovery
8.21.2009 - Requested status from vendor
9.29.2009 - Vendor call (Fix pending)
Update 1.21.2010
This vulnerability was fixed prior to version 2.5.
http://dev.zenoss.org/trac/changeset/15257
Copyright (c) 2009 nGenuity Information Services, LLC
By Matt Ray, January 14, 2010 @ 7:34 am
This was fixed prior to the current 2.5 release.
http://dev.zenoss.org/trac/changeset/15257
By Paul Theodoropoulos, January 21, 2010 @ 4:45 pm
please fix the advisory’s 1/14/2009 update notes, the correct ‘fixed prior to’ version, which is not 5.2, but rather is 2.5