[ZBX-10319] "stime" parameter for charts.php is not validated and can make Web server consume 100% CPU - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.0beta1
Fix Version/s: 2.2.12rc1, 2.4.8rc1, 3.0.1rc1, 3.2.0alpha1
Component/s: Frontend (F)
Labels:

Description

Suppose we usually go into "Monitoring" -> "Graphs" using the following link:

http://localhost/zabbix/charts.php?graphid=525&period=3600&stime=20160127113255

The last "stime" parameter looks like an encoded date and time together in a validatable format. However, it is not validated. For instance, if we modify the parameter like so, the Web server will hang using 100% CPU:

http://localhost/zabbix/charts.php?graphid=525&period=3600&stime=20000000160127113255

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

broken-graph-1.png
4 kB
2016 Feb 09 14:26
broken-graph-2.png
6 kB
2016 Feb 09 14:26

Activity

People

Assignee:: Unassigned

Reporter:: Aleksandrs Saveljevs

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2016 Jan 28 12:49

Updated:: 2020 Jul 16 14:10

Resolved:: 2016 Feb 16 14:46