[Secure-testing-team] Bug#850939: zabbix: sql injection, remote code execution, privileges escalation

[IvanBayan]

Package: zabbix-frontend-php
Version: 1:2.2.7+dfsg-2+deb8u1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

Bug in zabbix (ZBX-11023 SQL injection vulnerabilities in "Latest data") allow to execute code on remote system. It's not a dublicate of Debian bug #842702  zabbix: CVE-2016-9140: API JSON-RPC remote code execution
ZBX-11023 allows to execute code even for guest user.

I had zabbix available from web with enabled guest user. During investigation i found requests from sqlmap software in apache log, new scripts was configured via zabbix web interface by Admin user (password was untouched and hard to guess), many malicious  scripts in /tmp and few spam sending processes.

-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages zabbix-frontend-php depends on:
ii  apache2 [httpd]  2.4.10-10+deb8u7
ii  php5             5.6.29+dfsg-0+deb8u1
ii  php5-gd          5.6.29+dfsg-0+deb8u1
ii  php5-mysql       5.6.29+dfsg-0+deb8u1
ii  php5-pgsql       5.6.29+dfsg-0+deb8u1
ii  ttf-dejavu-core  2.34-1
ii  ucf              3.0030

Versions of packages zabbix-frontend-php recommends:
ii  php5-ldap  5.6.29+dfsg-0+deb8u1

Versions of packages zabbix-frontend-php suggests:
ii  libapache2-mod-php5  5.6.29+dfsg-0+deb8u1

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/share/doc/zabbix-frontend-php/examples/apache.conf (from zabbix-frontend-php package)