ZABBIX BUGS AND ISSUES

Cross Site Scripting Vulnerability

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.8.6
  • Component/s: Frontend (F)
  • Labels:
    None
  • Environment:
    Any
  • Zabbix ID:
    NA

Description

The acknow.php page is vulnerable to reflected XSS attacks. The following section of code doesn't sanitize data properly:

if(isset($_REQUEST['saveandreturn'])){
                        $url = new CUrl(urldecode($_REQUEST['backurl']));
                        jsRedirect($url->getUrl());
                        exit();
                }

The $_REQUEST['backurl'] parameter can be manipulated to perform the XSS attack. Using a proxy capture the parameters request and replace the backurl parameter with the following: </script><script>alert('XSS');</script> (see attachment for PoC).

Fix: Sanitze the backurl request parameter and don't assume the user is going to leave the <url>.php in place ;-)

Activity

Hide
Alexey Fukalov added a comment -

dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3835

Show
Alexey Fukalov added a comment - dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3835
Hide
Alexey Fukalov added a comment -

svn://svn.zabbix.com/branches/1.8 -r20789

Show
Alexey Fukalov added a comment - svn://svn.zabbix.com/branches/1.8 -r20789

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: