At the end of setup process, user will be authenticated and access to all setup.php steps will be locked. But before user is authorized to complete the setup, setup.php file has a step which has a vulnerability. It allows anyone to access this step without authentication. In this setup.php file, we can see a step which is called “db_connect”. “db_connect” is the very first step of setup.php file, which is reachable by everyone, not only by administrator. This setup.php file has a vulnerability that allows anyone to access this “db_connect” step.
It is possible to exploit this security vulnerability, if hacker accesses this setup.php file and modifies the value of “db_connect”. By changing the value of “db_connect”, programmer can change the configuration of Zabbix Frontend.
Description
Setup.php file has a step which is called “db_connect”. “db_connect” is the very first step of setup.php file, which is reachable by everyone, not only by administrator. This setup.php file has a vulnerability that allows anyone to access this “db_connect” step.
It is possible to exploit this security vulnerability, if hacker accesses this setup.php file and modifies the value of “db_connect”. By changing the value of “db_connect”, programmer can change the configuration of Zabbix Frontend.
Vulnerability Details
An exploitable vulnerability has been identified in setup.php file which is accessible by everyone and even administrator. At the end of setup process, user will be authenticated and access to all steps will be locked. But before user is authorized to complete the setup, setup.php file has a step which has a vulnerability. It allows anyone to access this step without authentication. In this setup.php file, we can see a step which is called “db_connect”. “db_connect” is the very first step of setup.php file, which is reachable by everyone, not only by administrator. This setup.php file has a vulnerability that allows anyone to access this “db_connect” step.
Timeline
Published on: 01/13/2022 16:15:00 UTC
Last modified on: 02/10/2022 07:53:00 UTC
References
- https://support.zabbix.com/browse/ZBX-20384
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
- https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23134