- Fix zabbix -- php frontend multiple vulnerabilities

Note:

	Input appended to and passed via the "extlang" parameter to the "calc_exp2()"
	function in include/validate.inc.php is not properly sanitised before being
	used. This can be exploited to inject and execute arbitrary PHP code.

	The application allows users to perform certain actions via HTTP requests
	without performing any validity checks to verify the requests. This can be
	exploited to e.g. create users by enticing a logged in administrator to
	visit a malicious web page.

	Input passed to the "srclang" parameter in locales.php (when "next" is set
	to a non-NULL value) is not properly verified before being used to include
	files. This can be exploited to include arbitrary files from local resources
	via directory traversal attacks and URL-encoded NULL bytes.

- Bump PORTREVISION

PR:		132944
Submitted by:	Eygene Ryabinkin <rea-fbsd@codelabs.ru> (many thanks!)
Approved by:	maintainer timeout (security 1 day)
Security:	http://www.vuxml.org/freebsd/03140526-1250-11de-a964-0030843d3802.html

net-mgmt/zabbix-agent/Makefile

@@ -7,6 +7,7 @@
 
 PORTNAME=	zabbix
 PORTVERSION=	1.6.2
+PORTREVISION=	1
 PORTEPOCH=	2
 CATEGORIES=	net-mgmt
 MASTER_SITES=	SF
@@ -24,8 +25,6 @@ MAKE_ARGS=	ARCH=freebsd
 CONFIGURE_ARGS+=--enable-ipv6
 .endif
 
-FORBIDDEN=	multiple vulnerabilities http://www.vuxml.org/freebsd/03140526-1250-11de-a964-0030843d3802.html
-
 ZABBIX_BIN=	agent agentd get sender
 ZABBIX_CFG=	agent agentd
 ZABBIX_BINFILES=${ZABBIX_BIN:S|^|zabbix_|:C|.+|&/&|:S|agentd/|agent/|}

net-mgmt/zabbix/Makefile

@@ -7,6 +7,7 @@
 
 PORTNAME=	zabbix
 PORTVERSION=	1.6.2
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	net-mgmt
 MASTER_SITES=	SF
@@ -38,8 +39,6 @@ SUB_FILES=	pkg-message
 
 .include <bsd.port.pre.mk>
 
-FORBIDDEN=	multiple vulnerabilities http://www.vuxml.org/freebsd/03140526-1250-11de-a964-0030843d3802.html
-
 .ifndef WITHOUT_JABBER
 USE_JABBER=	yes
 CONFIGURE_ARGS+=--with-jabber=${LOCALBASE}
@@ -82,6 +81,7 @@ post-patch:
 	@${REINPLACE_CMD} -e '/test.*rf/s|-rf|-f|;/LDFLAGS/s|-static||;\
 		/LIBS="-lnetsnmp/s|="|="-lcrypto |;s|-lsqlite3|-lsqlite3 ${PTHREAD_LIBS}|'\
 			${WRKSRC}/configure
+	@cd ${WRKSRC} && ${FIND} . -name '*.orig' -exec ${RM} {} \;
 
 .ifdef WITHOUT_FPING
 	@${ECHO} 'DisablePinger=yes' >> ${WRKSRC}/misc/conf/zabbix_server.conf

net-mgmt/zabbix/files/patch-USH-162.1

@@ -0,0 +1,135 @@
+Index: include/validate.inc.php
+===================================================================
+--- frontends/php/include/validate.inc.php	(revision 6592)
++++ frontends/php/include/validate.inc.php	(revision 6593)
+@@ -198,19 +198,21 @@
+ 		return $ret;
+ 	}
+ 
+-	function	calc_exp($fields,$field,$expression){
++	function calc_exp($fields,$field,$expression){
+ //SDI("$field - expression: ".$expression);
+ 
+-		if(zbx_strstr($expression,"{}") && !isset($_REQUEST[$field]))
++		if(zbx_strstr($expression,'{}') && !isset($_REQUEST[$field]))
+ 			return FALSE;
+ 
+-		if(zbx_strstr($expression,"{}") && !is_array($_REQUEST[$field]))
+-			$expression = str_replace("{}",'$_REQUEST["'.$field.'"]',$expression);
++		if(zbx_strstr($expression,'{}') && !is_array($_REQUEST[$field]))
++			$expression = str_replace('{}','$_REQUEST["'.$field.'"]',$expression);
+ 
+-		if(zbx_strstr($expression,"{}") && is_array($_REQUEST[$field])){
++		if(zbx_strstr($expression,'{}') && is_array($_REQUEST[$field])){
+ 			foreach($_REQUEST[$field] as $key => $val){
+-				$expression2 = str_replace("{}",'$_REQUEST["'.$field.'"]["'.$key.'"]',$expression);
+-				if(calc_exp2($fields,$field,$expression2)==FALSE)
++				if(!ereg('^[a-zA-Z0-9_]+$',$key)) return FALSE;
++
++				$expression2 = str_replace('{}','$_REQUEST["'.$field.'"]["'.$key.'"]',$expression);
++				if(calc_exp2($fields,$field,$expression2)==FALSE) 
+ 					return FALSE;
+ 			}	
+ 			return TRUE;
+@@ -219,7 +221,7 @@
+ 		return calc_exp2($fields,$field,$expression);
+ 	}
+ 
+-	function	unset_not_in_list(&$fields){
++	function unset_not_in_list(&$fields){
+ 		foreach($_REQUEST as $key => $val){
+ 			if(!isset($fields[$key])){
+ 				unset_request($key,'unset_not_in_list');
+@@ -382,7 +384,7 @@
+ 		}
+ 	}
+ 
+-	function	check_field(&$fields, &$field, $checks){
++	function check_field(&$fields, &$field, $checks){
+ 		list($type,$opt,$flags,$validation,$exception)=$checks;
+ 
+ 		if($flags&P_UNSET_EMPTY && isset($_REQUEST[$field]) && $_REQUEST[$field]==''){
+@@ -473,9 +475,7 @@
+ 		include_once "include/page_footer.php";
+ 	}
+ 	
+-	function	check_fields(&$fields, $show_messages=true){
+-
+-		global	$_REQUEST;
++	function check_fields(&$fields, $show_messages=true){
+ 		global	$system_fields;
+ 
+ 		$err = ZBX_VALID_OK;
+Index: locales.php
+===================================================================
+--- frontends/php/locales.php	(revision 6592)
++++ frontends/php/locales.php	(revision 6593)
+@@ -19,11 +19,11 @@
+ **/
+ ?>
+ <?php
+-include_once "include/config.inc.php";
++include_once('include/config.inc.php');
+ 
+ if(isset($_REQUEST['download'])){
+-	$page["type"] = PAGE_TYPE_XML;
+-	$page["file"] = "new_locale.inc.php";
++	$page['type'] = PAGE_TYPE_XML;
++	$page['file'] = 'new_locale.inc.php';
+ }
+ else{
+ 	$page['title'] = "S_LOCALES";
+@@ -181,26 +181,25 @@
+ 	$frmLcls->AddOption('id','locales');
+ 	$frmLcls->SetHelp($help);
+ 	
+-	$fileFrom = 'include/locales/'.$_REQUEST['srclang'].".inc.php";
+-	if(file_exists($fileFrom)){
+-		include($fileFrom);
+ 	
++	$fileFrom = 'include/locales/'.$_REQUEST['srclang'].'.inc.php';
++	if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['srclang']) && file_exists($fileFrom)){
++		include($fileFrom);	
+ 		if(!isset($TRANSLATION) || !is_array($TRANSLATION)){
+-			error("Passed SOURCE is NOT valid PHP file.");
++			error('Passed SOURCE is NOT valid PHP file.');
+ 		}
+ 		$transFrom = $TRANSLATION;
+ 	}
+ 	unset($TRANSLATION);
+ 	
+-	$frmLcls->AddVar('extlang',$_REQUEST['extlang']);
+-	
+-	if($_REQUEST['extlang'] != 'new'){
+-		$fileTo = 'include/locales/'.$_REQUEST['extlang'].".inc.php";
++	$frmLcls->addVar('extlang',$_REQUEST['extlang']);
++	if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['srclang']) && ($_REQUEST['extlang'] != 'new')){
++		$fileTo = 'include/locales/'.$_REQUEST['extlang'].'.inc.php';
+ 		if(file_exists($fileTo)){
+ 			include($fileTo);
+ 			
+ 			if(!isset($TRANSLATION) || !is_array($TRANSLATION)){
+-				error("Passed DEST is NOT valid PHP file.");
++				error('Passed DEST is NOT valid PHP file.');
+ 			}
+ 			$transTo = $TRANSLATION;
+ //			header('Content-Type: text/html; charset='.$TRANSLATION['S_HTML_CHARSET']);
+
+-----
+
+This hunk fixes typo in the bugfix for local file inclusion inside
+locales.php
+
+Index: branches/1.6/frontends/php/locales.php
+===================================================================
+--- frontends/php/locales.php	(revision 6885)
++++ frontends/php/locales.php	(revision 6886)
+@@ -193,7 +193,7 @@
+ 	unset($TRANSLATION);
+ 	
+ 	$frmLcls->addVar('extlang',$_REQUEST['extlang']);
+-	if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['srclang']) && ($_REQUEST['extlang'] != 'new')){
++	if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['extlang']) && ($_REQUEST['extlang'] != 'new')){
+ 		$fileTo = 'include/locales/'.$_REQUEST['extlang'].'.inc.php';
+ 		if(file_exists($fileTo)){
+ 			include($fileTo);

net-mgmt/zabbix/pkg-plist

@@ -28,16 +28,15 @@ bin/zabbix_server
 %%DATADIR%%/php/js/sbox.js
 %%DATADIR%%/php/js/services.js
 %%DATADIR%%/php/js/gmenu.js
+%%DATADIR%%/php/js/gpc.js
 %%DATADIR%%/php/js/chkbxrange.js
 %%DATADIR%%/php/js/scrollbar.js
 %%DATADIR%%/php/js/graphs.js
 %%DATADIR%%/php/js/sbinit.js
 %%DATADIR%%/php/js/common.js
 %%DATADIR%%/php/js/ajax_req.js
-%%DATADIR%%/php/js/cookies.js
 %%DATADIR%%/php/js/blink.js
 %%DATADIR%%/php/js/tree.js
-%%DATADIR%%/php/js/url.js
 %%DATADIR%%/php/js/showhint.js
 %%DATADIR%%/php/include/locales/cn_zh.inc.php
 %%DATADIR%%/php/include/locales/lv_lv.inc.php
@@ -80,6 +79,7 @@ bin/zabbix_server
 %%DATADIR%%/php/include/classes/ciframe.inc.php
 %%DATADIR%%/php/include/classes/cscript.inc.php
 %%DATADIR%%/php/include/classes/cpumenu.inc.php
+%%DATADIR%%/php/include/classes/curl.inc.php
 %%DATADIR%%/php/include/classes/pie.inc.php
 %%DATADIR%%/php/include/classes/ctag.inc.php
 %%DATADIR%%/php/include/classes/cbutton.inc.php

net-mgmt/zabbix2-agent/Makefile

@@ -7,6 +7,7 @@
 
 PORTNAME=	zabbix
 PORTVERSION=	1.6.2
+PORTREVISION=	1
 PORTEPOCH=	2
 CATEGORIES=	net-mgmt
 MASTER_SITES=	SF
@@ -24,8 +25,6 @@ MAKE_ARGS=	ARCH=freebsd
 CONFIGURE_ARGS+=--enable-ipv6
 .endif
 
-FORBIDDEN=	multiple vulnerabilities http://www.vuxml.org/freebsd/03140526-1250-11de-a964-0030843d3802.html
-
 ZABBIX_BIN=	agent agentd get sender
 ZABBIX_CFG=	agent agentd
 ZABBIX_BINFILES=${ZABBIX_BIN:S|^|zabbix_|:C|.+|&/&|:S|agentd/|agent/|}

net-mgmt/zabbix2/Makefile

@@ -7,6 +7,7 @@
 
 PORTNAME=	zabbix
 PORTVERSION=	1.6.2
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	net-mgmt
 MASTER_SITES=	SF
@@ -38,8 +39,6 @@ SUB_FILES=	pkg-message
 
 .include <bsd.port.pre.mk>
 
-FORBIDDEN=	multiple vulnerabilities http://www.vuxml.org/freebsd/03140526-1250-11de-a964-0030843d3802.html
-
 .ifndef WITHOUT_JABBER
 USE_JABBER=	yes
 CONFIGURE_ARGS+=--with-jabber=${LOCALBASE}
@@ -82,6 +81,7 @@ post-patch:
 	@${REINPLACE_CMD} -e '/test.*rf/s|-rf|-f|;/LDFLAGS/s|-static||;\
 		/LIBS="-lnetsnmp/s|="|="-lcrypto |;s|-lsqlite3|-lsqlite3 ${PTHREAD_LIBS}|'\
 			${WRKSRC}/configure
+	@cd ${WRKSRC} && ${FIND} . -name '*.orig' -exec ${RM} {} \;
 
 .ifdef WITHOUT_FPING
 	@${ECHO} 'DisablePinger=yes' >> ${WRKSRC}/misc/conf/zabbix_server.conf

net-mgmt/zabbix2/files/patch-USH-162.1

@@ -0,0 +1,135 @@
+Index: include/validate.inc.php
+===================================================================
+--- frontends/php/include/validate.inc.php	(revision 6592)
++++ frontends/php/include/validate.inc.php	(revision 6593)
+@@ -198,19 +198,21 @@
+ 		return $ret;
+ 	}
+ 
+-	function	calc_exp($fields,$field,$expression){
++	function calc_exp($fields,$field,$expression){
+ //SDI("$field - expression: ".$expression);
+ 
+-		if(zbx_strstr($expression,"{}") && !isset($_REQUEST[$field]))
++		if(zbx_strstr($expression,'{}') && !isset($_REQUEST[$field]))
+ 			return FALSE;
+ 
+-		if(zbx_strstr($expression,"{}") && !is_array($_REQUEST[$field]))
+-			$expression = str_replace("{}",'$_REQUEST["'.$field.'"]',$expression);
++		if(zbx_strstr($expression,'{}') && !is_array($_REQUEST[$field]))
++			$expression = str_replace('{}','$_REQUEST["'.$field.'"]',$expression);
+ 
+-		if(zbx_strstr($expression,"{}") && is_array($_REQUEST[$field])){
++		if(zbx_strstr($expression,'{}') && is_array($_REQUEST[$field])){
+ 			foreach($_REQUEST[$field] as $key => $val){
+-				$expression2 = str_replace("{}",'$_REQUEST["'.$field.'"]["'.$key.'"]',$expression);
+-				if(calc_exp2($fields,$field,$expression2)==FALSE)
++				if(!ereg('^[a-zA-Z0-9_]+$',$key)) return FALSE;
++
++				$expression2 = str_replace('{}','$_REQUEST["'.$field.'"]["'.$key.'"]',$expression);
++				if(calc_exp2($fields,$field,$expression2)==FALSE) 
+ 					return FALSE;
+ 			}	
+ 			return TRUE;
+@@ -219,7 +221,7 @@
+ 		return calc_exp2($fields,$field,$expression);
+ 	}
+ 
+-	function	unset_not_in_list(&$fields){
++	function unset_not_in_list(&$fields){
+ 		foreach($_REQUEST as $key => $val){
+ 			if(!isset($fields[$key])){
+ 				unset_request($key,'unset_not_in_list');
+@@ -382,7 +384,7 @@
+ 		}
+ 	}
+ 
+-	function	check_field(&$fields, &$field, $checks){
++	function check_field(&$fields, &$field, $checks){
+ 		list($type,$opt,$flags,$validation,$exception)=$checks;
+ 
+ 		if($flags&P_UNSET_EMPTY && isset($_REQUEST[$field]) && $_REQUEST[$field]==''){
+@@ -473,9 +475,7 @@
+ 		include_once "include/page_footer.php";
+ 	}
+ 	
+-	function	check_fields(&$fields, $show_messages=true){
+-
+-		global	$_REQUEST;
++	function check_fields(&$fields, $show_messages=true){
+ 		global	$system_fields;
+ 
+ 		$err = ZBX_VALID_OK;
+Index: locales.php
+===================================================================
+--- frontends/php/locales.php	(revision 6592)
++++ frontends/php/locales.php	(revision 6593)
+@@ -19,11 +19,11 @@
+ **/
+ ?>
+ <?php
+-include_once "include/config.inc.php";
++include_once('include/config.inc.php');
+ 
+ if(isset($_REQUEST['download'])){
+-	$page["type"] = PAGE_TYPE_XML;
+-	$page["file"] = "new_locale.inc.php";
++	$page['type'] = PAGE_TYPE_XML;
++	$page['file'] = 'new_locale.inc.php';
+ }
+ else{
+ 	$page['title'] = "S_LOCALES";
+@@ -181,26 +181,25 @@
+ 	$frmLcls->AddOption('id','locales');
+ 	$frmLcls->SetHelp($help);
+ 	
+-	$fileFrom = 'include/locales/'.$_REQUEST['srclang'].".inc.php";
+-	if(file_exists($fileFrom)){
+-		include($fileFrom);
+ 	
++	$fileFrom = 'include/locales/'.$_REQUEST['srclang'].'.inc.php';
++	if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['srclang']) && file_exists($fileFrom)){
++		include($fileFrom);	
+ 		if(!isset($TRANSLATION) || !is_array($TRANSLATION)){
+-			error("Passed SOURCE is NOT valid PHP file.");
++			error('Passed SOURCE is NOT valid PHP file.');
+ 		}
+ 		$transFrom = $TRANSLATION;
+ 	}
+ 	unset($TRANSLATION);
+ 	
+-	$frmLcls->AddVar('extlang',$_REQUEST['extlang']);
+-	
+-	if($_REQUEST['extlang'] != 'new'){
+-		$fileTo = 'include/locales/'.$_REQUEST['extlang'].".inc.php";
++	$frmLcls->addVar('extlang',$_REQUEST['extlang']);
++	if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['srclang']) && ($_REQUEST['extlang'] != 'new')){
++		$fileTo = 'include/locales/'.$_REQUEST['extlang'].'.inc.php';
+ 		if(file_exists($fileTo)){
+ 			include($fileTo);
+ 			
+ 			if(!isset($TRANSLATION) || !is_array($TRANSLATION)){
+-				error("Passed DEST is NOT valid PHP file.");
++				error('Passed DEST is NOT valid PHP file.');
+ 			}
+ 			$transTo = $TRANSLATION;
+ //			header('Content-Type: text/html; charset='.$TRANSLATION['S_HTML_CHARSET']);
+
+-----
+
+This hunk fixes typo in the bugfix for local file inclusion inside
+locales.php
+
+Index: branches/1.6/frontends/php/locales.php
+===================================================================
+--- frontends/php/locales.php	(revision 6885)
++++ frontends/php/locales.php	(revision 6886)
+@@ -193,7 +193,7 @@
+ 	unset($TRANSLATION);
+ 	
+ 	$frmLcls->addVar('extlang',$_REQUEST['extlang']);
+-	if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['srclang']) && ($_REQUEST['extlang'] != 'new')){
++	if(ereg('^[A-Za-z0-9_]+$', $_REQUEST['extlang']) && ($_REQUEST['extlang'] != 'new')){
+ 		$fileTo = 'include/locales/'.$_REQUEST['extlang'].'.inc.php';
+ 		if(file_exists($fileTo)){
+ 			include($fileTo);

net-mgmt/zabbix2/pkg-plist

@@ -28,16 +28,15 @@ bin/zabbix_server
 %%DATADIR%%/php/js/sbox.js
 %%DATADIR%%/php/js/services.js
 %%DATADIR%%/php/js/gmenu.js
+%%DATADIR%%/php/js/gpc.js
 %%DATADIR%%/php/js/chkbxrange.js
 %%DATADIR%%/php/js/scrollbar.js
 %%DATADIR%%/php/js/graphs.js
 %%DATADIR%%/php/js/sbinit.js
 %%DATADIR%%/php/js/common.js
 %%DATADIR%%/php/js/ajax_req.js
-%%DATADIR%%/php/js/cookies.js
 %%DATADIR%%/php/js/blink.js
 %%DATADIR%%/php/js/tree.js
-%%DATADIR%%/php/js/url.js
 %%DATADIR%%/php/js/showhint.js
 %%DATADIR%%/php/include/locales/cn_zh.inc.php
 %%DATADIR%%/php/include/locales/lv_lv.inc.php
@@ -80,6 +79,7 @@ bin/zabbix_server
 %%DATADIR%%/php/include/classes/ciframe.inc.php
 %%DATADIR%%/php/include/classes/cscript.inc.php
 %%DATADIR%%/php/include/classes/cpumenu.inc.php
+%%DATADIR%%/php/include/classes/curl.inc.php
 %%DATADIR%%/php/include/classes/pie.inc.php
 %%DATADIR%%/php/include/classes/ctag.inc.php
 %%DATADIR%%/php/include/classes/cbutton.inc.php