Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-336

xss/csrf cause Admin session cookie compromise, full path disclosure, and other problems

    XMLWordPrintable

Details

    • Incident report
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 1.4.3
    • None
    • Frontend (F)
    • None

    Description

      1) Lack of proper user input validation causes persistent xss in audit log. Remote attacker can go to Zabbix login panel, and try to login with login name like
      "<b><font color=red>owned</b>". This leads to various types of persistent xss attacks, including admin session cookie compromise etc. This problem is fixed
      in 1.5 beta, but remains in latest 1.4.4 stable version

      2) Faulty user authentication makes possible for attacker to control authenticated users session with csrf. For 1.4.4 stable version its very easy to
      use this together with xss bug, and force to create new user with superuser privileges, when legitimate user with privileges to create new user visits audit log page.

      3) For 1.5 beta version its a bit harder to exploit the issue, because the xss hole is fixed. In order to add new user to Zabbix, you must force authenticated
      user to visit your custom created page with csrf forgery, which makes it a bit harder to exploit.

      note: you can do other things as well with this csrf bug. Delete other users, add/remove triggers, etc.

      For a fix i suggest to use random token and use it with each data submited by user. In such scenario attacker must also know this token in order to successfuly exploit csrf.

      4) There is also possible full path disclosure in both 1.4.4 stable and 1.5 beta versions if you go directly to http://domain/zabbix/vtext.php

      Attachments

        Activity

          People

            Unassigned Unassigned
            grave graavis
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: