[ZBX-12769] Reflected xss vulnerabilities - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Incident report
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 4.0.0alpha1
Fix Version/s: 2.2.20rc1, 3.0.11rc1, 3.2.8rc1, 3.4.2rc1, 4.0.0alpha1, 4.0 (plan)
Component/s: Frontend (F)
Labels:
- frontend
- security
- xss

Team:
Team A
Sprint:
Sprint 15, Sprint 16
Story Points:
1

Description

There are multiple reflected xss vulnerabilities in frontend.

POC is the following maliciously crafted link ("zabbix.internal" should be replaced with your domain name):
http://zabbix.internal/popup.php?dstfrm=expression&dstfld1=itemid&srctbl=items&srcfld2=name&srcfld1=itemid&dstfld2=%22:alert(document.cookie)%2B%22%22,%22

This link leads to a page with item list. Each item name contains onclick handler with injected script.

Clicking on any of the item names causes script execution:

Another example would be the following link:
http://zabbix.internal/screen.import.php?backurl=javascript:alert(document.cookie)&

Click on "Cancel" button will cause execution of injected script.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

reflected_xss.png
23 kB
2017 May 02 15:31

Issue Links

depends on

ZBX-12768 WASA Findings from NSOC Team

Closed

Activity

People

Assignee:: Gregory Chalenko

Reporter:: Vjaceslavs Bogdanovs

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2017 May 02 15:31

Updated:: 2018 Oct 09 10:36

Resolved:: 2017 Sep 12 17:22