Details
-
Type:
Defect (Security)
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.0.0beta1
-
Fix Version/s: 2.2.12rc1, 2.4.8rc1, 3.0.1rc1, 3.2.0alpha1
-
Component/s: Frontend (F)
-
Labels:
Description
Suppose we usually go into "Monitoring" -> "Graphs" using the following link:
http://localhost/zabbix/charts.php?graphid=525&period=3600&stime=20160127113255
The last "stime" parameter looks like an encoded date and time together in a validatable format. However, it is not validated. For instance, if we modify the parameter like so, the Web server will hang using 100% CPU:
http://localhost/zabbix/charts.php?graphid=525&period=3600&stime=20000000160127113255