Zabbix 1.8.x-2.2.x Local File Inclusion via XXE Attack
Description
Zabbix versions 1.8.x through 2.2.x contain an XML External Entity (XXE) vulnerability in the frontend's XML data import feature. The application uses PHP's DOMDocument class to parse imported XML files without disabling external entity processing. An unauthenticated attacker can exploit this by uploading a malicious XML file containing external entity references, forcing the server to read arbitrary local files and exfiltrate their contents to an attacker-controlled remote server.
Affected versions: 1.8.19, 1.8.20, 2.0.9, 2.0.10, 2.0.11rc2, 2.0.11, 2.2.2, 2.2.3rc1, 2.2.3rc2, 2.2.3
Remediation
Immediately upgrade Zabbix to version 2.3.2 or later, which resolves this vulnerability by properly disabling external entity processing in XML parsing.
Remediation Steps:
1. Back up your current Zabbix configuration and database
2. Download Zabbix version 2.3.2 or the latest stable release from the official Zabbix website
3. Follow the official upgrade documentation for your specific version path
4. After upgrading, verify that XML import functionality works as expected
5. Review server logs for any suspicious XML import attempts that may indicate prior exploitation
Temporary Mitigation (if immediate upgrade is not possible):
Restrict access to the XML import functionality to trusted administrators only through web server access controls or firewall rules until the upgrade can be completed.