CVE-2022-23134 Setup.php has unauthenticated users reach some steps after the setup process.

CVE-2022-23134 Setup.php has unauthenticated users reach some steps after the setup process.

At the end of setup process, user will be authenticated and access to all setup.php steps will be locked. But before user is authorized to complete the setup, setup.php file has a step which has a vulnerability. It allows anyone to access this step without authentication. In this setup.php file, we can see a step which is called “db_connect”. “db_connect” is the very first step of setup.php file, which is reachable by everyone, not only by administrator. This setup.php file has a vulnerability that allows anyone to access this “db_connect” step.
It is possible to exploit this security vulnerability, if hacker accesses this setup.php file and modifies the value of “db_connect”. By changing the value of “db_connect”, programmer can change the configuration of Zabbix Frontend.

Description

Setup.php file has a step which is called “db_connect”. “db_connect” is the very first step of setup.php file, which is reachable by everyone, not only by administrator. This setup.php file has a vulnerability that allows anyone to access this “db_connect” step.
It is possible to exploit this security vulnerability, if hacker accesses this setup.php file and modifies the value of “db_connect”. By changing the value of “db_connect”, programmer can change the configuration of Zabbix Frontend.

Vulnerability Details

An exploitable vulnerability has been identified in setup.php file which is accessible by everyone and even administrator. At the end of setup process, user will be authenticated and access to all steps will be locked. But before user is authorized to complete the setup, setup.php file has a step which has a vulnerability. It allows anyone to access this step without authentication. In this setup.php file, we can see a step which is called “db_connect”. “db_connect” is the very first step of setup.php file, which is reachable by everyone, not only by administrator. This setup.php file has a vulnerability that allows anyone to access this “db_connect” step.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe