---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Zabbix "UserParameter" Privilege Escalation Weakness SECUNIA ADVISORY ID: SA27903 VERIFY ADVISORY: http://secunia.com/advisories/27903/ CRITICAL: Not critical IMPACT: Privilege escalation WHERE: >From local network SOFTWARE: ZABBIX 1.x http://secunia.com/product/12242/ DESCRIPTION: A weakness has been reported in Zabbix, which can be exploited by malicious users to perform certain actions with escalated privileges. The weakness is caused due to the "daemon_start()" function in src/libs/zbxnix/daemon.c not correctly dropping the privileges. This can be exploited to e.g. execute "UserParameter" scripts as group "root". This affects the agent for UNIX-like operating systems only. The weakness is reported in version 1.4.2. Other versions may also be affected. SOLUTION: Reportedly, this will be fixed in version 1.4.3. PROVIDED AND/OR DISCOVERED BY: Bas van Schaik ORIGINAL ADVISORY: http://www.zabbix.com/forum/showthread.php?t=8400 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452682 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------