Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-16532

Zabbix before 4.2 allows User Enumeration

    XMLWordPrintable

    Details

    • Type: Incident report
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 4.4.0alpha1
    • Fix Version/s: None
    • Component/s: API (A), Frontend (F)
    • Labels:
      None

      Description

      Zabbix before 4.2 allows User Enumeration. It is possible to enumerate application username based on different server responses (Login name or password is incorrect, Account is blocked for N seconds, No permissions for system access) using the requests to login.

      API Request

      POST /zabbix/api_jsonrpc.php HTTP/1.1
      Host: company
      Content-Type: application/json-rpc
      
      {
      "jsonrpc": "2.0",
      "method": "user.login",
      "params": {
      "user": "Admin",
      "password": "zabbix"
      },
      "id": 1
      }
      
      

      Web Interface Request

      POST /zabbix/index.php HTTP/1.1
      Host: company
      Content-Type: application/x-www-form-urlencoded
      
      name=Admin&password=password&autologin=1&enter=Sign+in
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              zabbix.dev Zabbix Development Team
              Reporter:
              itsecurityco itsecurityco
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: