Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-16532

Zabbix before 4.2 allows User Enumeration

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Duplicate
    • Icon: Minor Minor
    • None
    • 4.4.0alpha1
    • API (A), Frontend (F)
    • None

      Zabbix before 4.2 allows User Enumeration. It is possible to enumerate application username based on different server responses (Login name or password is incorrect, Account is blocked for N seconds, No permissions for system access) using the requests to login.

      API Request

      POST /zabbix/api_jsonrpc.php HTTP/1.1
Host: company
Content-Type: application/json-rpc

{
"jsonrpc": "2.0",
"method": "user.login",
"params": {
"user": "Admin",
"password": "zabbix"
},
"id": 1
}

      Web Interface Request

      POST /zabbix/index.php HTTP/1.1
Host: company
Content-Type: application/x-www-form-urlencoded

name=Admin&password=password&autologin=1&enter=Sign+in

            zabbix.dev Zabbix Development Team
            itsecurityco itsecurityco
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: