[ZBX-20536] Server side cache poisioning - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Trivial
Resolution: Won't fix
Affects Version/s: 6.0.0rc1
Fix Version/s: None
Component/s: Server (S)
Labels:
None

Description

Steps to reproduce:

For testing purpose i've used https://zabbix-stage-dal10.ole.redhat.com/

testcase : 1

adding : ;

https://zabbix-stage-dal10.ole.redhat.com/;
redirected to normal page

test case 2:

https://zabbix-stage-dal10.ole.redhat.com/;echo%20MPCSBG$((282037%2B31337))

again redirected to normal page

Final payload
https://zabbix-stage-dal10.ole.redhat.com/;echo%20MPCSBG$((282037%2B31337))$(echo%20MPCSBG)MPCSBG/got 500 internal status and cache got reflectedits now cached in server side

see screenshot 1

when we tried to give data on username and password it redirects to
https://zabbix-stage-dal10.ole.redhat.com/;echo%20MPCSBG$((282037%2B31337))$(echo%20MPCSBG)MPCSBG/index.php

Result file not found :
screenshot 2

Result:
see screenshot 1 &2
Expected:
should not cache on server

should not display any data on 500 status

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

1.png
37 kB
2022 Feb 04 12:10
2.png
18 kB
2022 Feb 04 12:10

Activity

People

Assignee:: Unassigned

Reporter:: pankaj

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2022 Feb 04 12:12

Updated:: 2022 Feb 04 16:14

Resolved:: 2022 Feb 04 16:14