[ZBX-17101] Persistent xss caused by URL validator refactoring - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.0.29rc1, 4.0.16rc1, 4.4.4rc1, 5.0.0alpha1, 5.0 (plan)
Component/s: Frontend (F)
Labels:
- Frontend
- maps
- security
- url
- xss

Team:
Team B
Sprint:
Sprint 59 (Dec 2019)
Story Points:
0.5

Description

Persistent XSS vulnerabilities were introduced while introducing changes in ~~ZBX-12825~~.
This affects multiple pages, for example problem view:

Create trigger with the following URL: "javascript:alert('xss'); //{$THIS.SHOULD.LOOK.LIKE.USERMACRO}"
Cause trigger to go to the problem state.
Go to problems page and click on URL in trigger popup menu:

A bit harder it is to perform the same trick in Network maps as user macros are not enabled for network map URL. But still, it is possible through inventory macros:

Create map with host element. Add URL with inventory URL macro ( {INVENTORY.URL.A}
).
Set host inventory to manual and set inventory url A to "javascript:alert('xss'); //{$THIS.SHOULD.LOOK.LIKE.USERMACRO}"
Save map
Go to problems page and click on URL in map element popup menu:

Overall problem is caused by invalid validation termination when some of the conditions are met while others are not.

This is the first commit that broke the validation.
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/7c3dbcab386f60b4c8c5244850ec11c853c50a08#frontends/php/include/classes/validators/CHtmlUrlValidator.php

Attachments

Activity

People

Assignee:: Miks Kronkalns

Reporter:: Rostislav Palivoda

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019 Dec 09 13:44

Updated:: 2020 Jul 16 14:10

Resolved:: 2019 Dec 19 21:20