nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2010-001 - Zenoss getJSONEventsInfo SQL Injection
   Application: Zenoss 2.3.3
        Vendor: Zenoss
Vendor website: http://www.zenoss.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
           BID: 37802

  I. BACKGROUND
     "Zenoss Core is an award-winning open source IT monitoring product that
     effectively manages the configuration, health and performance of
     networks, servers and applications through a single, integrated
     software package." [1] 

II. DETAILS
    getJSONEventsInfo contains multiple SQL Injection vulnerabilities due to improperly
    sanitized user provided input. The following URL parameters are injectable: severity,
    state, filter, offset, and count.

    Authentication as an admin or regular user is required for successful exploitation.
    Depending on the type of attack, it may also be accomplished via Cross-Site Request
    Forgery (CSRF).

    A proof of concept request might look like this
      /zport/dmd/Events/getJSONEventsInfo?severity=1&state=1&filter=&
      offset=0&count=60 into outfile "/tmp/z"

III. REFERENCES
     [1] - http://www.zenoss.com

 IV. VENDOR COMMUNICATION
     3.10.2009 - Vulnerability Discovery
     8.21.2009 - Requested status from vendor
     9.29.2009 - Vendor call (Fix pending)

     Update 1.21.2010
     This vulnerability was fixed prior to version 2.5.

http://dev.zenoss.org/trac/changeset/15257

Copyright (c) 2009 nGenuity Information Services, LLC