Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.8.6
    • Component/s: Frontend (F)
    • Labels:
      None
    • Environment:
      Any

      Description

      The acknow.php page is vulnerable to reflected XSS attacks. The following section of code doesn't sanitize data properly:

      if(isset($_REQUEST['saveandreturn']))

      { $url = new CUrl(urldecode($_REQUEST['backurl'])); jsRedirect($url->getUrl()); exit(); }

      The $_REQUEST['backurl'] parameter can be manipulated to perform the XSS attack. Using a proxy capture the parameters request and replace the backurl parameter with the following: </script><script>alert('XSS');</script> (see attachment for PoC).

      Fix: Sanitze the backurl request parameter and don't assume the user is going to leave the <url>.php in place

        Activity

        Hide
        Alexey Fukalov added a comment -

        dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3835

        Show
        Alexey Fukalov added a comment - dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3835
        Hide
        Alexey Fukalov added a comment -

        svn://svn.zabbix.com/branches/1.8 -r20789

        Show
        Alexey Fukalov added a comment - svn://svn.zabbix.com/branches/1.8 -r20789

          People

          • Assignee:
            Alexey Fukalov
            Reporter:
            Damian Tommasino
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: