Details
-
Type:
Defect (Security)
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 3.0.29rc1, 4.0.16rc1, 4.4.4rc1, 5.0.0alpha1, 5.0 (plan)
-
Component/s: Frontend (F)
-
Team:Team B
-
Sprint:Sprint 59 (Dec 2019)
-
Story Points:0.5
Description
Persistent XSS vulnerabilities were introduced while introducing changes in ZBX-12825.
This affects multiple pages, for example problem view:
- Create trigger with the following URL: "javascript:alert('xss'); //{$THIS.SHOULD.LOOK.LIKE.USERMACRO}"
- Cause trigger to go to the problem state.
- Go to problems page and click on URL in trigger popup menu:
A bit harder it is to perform the same trick in Network maps as user macros are not enabled for network map URL. But still, it is possible through inventory macros:
- Create map with host element. Add URL with inventory URL macro (
{INVENTORY.URL.A}
).
- Set host inventory to manual and set inventory url A to "javascript:alert('xss'); //{$THIS.SHOULD.LOOK.LIKE.USERMACRO}"
- Save map
- Go to problems page and click on URL in map element popup menu:
Overall problem is caused by invalid validation termination when some of the conditions are met while others are not.
This is the first commit that broke the validation.
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/7c3dbcab386f60b4c8c5244850ec11c853c50a08#frontends/php/include/classes/validators/CHtmlUrlValidator.php