Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  2. ZBX-336

xss/csrf cause Admin session cookie compromise, full path disclosure, and other problems


    • Icon: Incident report Incident report
    • Resolution: Fixed
    • Icon: Minor Minor
    • None
    • 1.4.3
    • Frontend (F)
    • None

      1) Lack of proper user input validation causes persistent xss in audit log. Remote attacker can go to Zabbix login panel, and try to login with login name like
      "<b><font color=red>owned</b>". This leads to various types of persistent xss attacks, including admin session cookie compromise etc. This problem is fixed
      in 1.5 beta, but remains in latest 1.4.4 stable version

      2) Faulty user authentication makes possible for attacker to control authenticated users session with csrf. For 1.4.4 stable version its very easy to
      use this together with xss bug, and force to create new user with superuser privileges, when legitimate user with privileges to create new user visits audit log page.

      3) For 1.5 beta version its a bit harder to exploit the issue, because the xss hole is fixed. In order to add new user to Zabbix, you must force authenticated
      user to visit your custom created page with csrf forgery, which makes it a bit harder to exploit.

      note: you can do other things as well with this csrf bug. Delete other users, add/remove triggers, etc.

      For a fix i suggest to use random token and use it with each data submited by user. In such scenario attacker must also know this token in order to successfuly exploit csrf.

      4) There is also possible full path disclosure in both 1.4.4 stable and 1.5 beta versions if you go directly to http://domain/zabbix/vtext.php

            Unassigned Unassigned
            grave graavis
            1 Vote for this issue
            2 Start watching this issue