20081215 Bug discovered
20090116 Initial vendor contact
20090116 Vendor Response (Fixes will be included in Zabbix 1.6.3)

this bug was discovered in xmas and three months later we still with no workaround nor stable version...

in these cases, we want to know as soon as possible when our systems are exposed to risk :(

when will we get an official response to this?

Not sure if this is the same one you were looking at but check this thread.

http://www.zabbix.com/forum/showthread.php?t=11877

yeah, it's the same, but "my" thread started one day before :P

i suppose this issue is solved upgrading just frontend php files (agent and servers not affected, db schemes unaltered, etc) but i'm not 100% sure and i'm just asking for an official answer :)

The reported issues have been fixed several weeks ago. Scope of the changes is quite broad, so we decided not to release a patch before pre-1.6.3 testing is over. Please wait for official 1.6.3.

Note that this affects PHP files only.

thanks, alexei.

i've upgraded only PHP frontend files to 1.6.3pre and it seems to work well (how nice the mouseover menus!).

thanks, alexei.

i've upgraded only PHP frontend files to 1.6.3pre and it seems to work well (how nice the mouseover menus!).


i also wanted to upgrade my zabbix installation to safegaurd from this vulnerability. It would be helpful for men and other zabbix users if you could paste here the procedure you followed for this upgrade.

Thanks & regards

Ashwani Jain

download the tarball 1.6.3pre, uncompress it and copy frontend/php/* to your http directory. it's that simple.

i also modified include/page_footer.php to hide ZABBIX_VER 'cause nobody needs to know which version am i running.