Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-3835

Cross Site Scripting Vulnerability

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Fixed
    • Icon: Minor Minor
    • 1.8.6
    • None
    • Frontend (F)
    • None
    • Any

      The acknow.php page is vulnerable to reflected XSS attacks. The following section of code doesn't sanitize data properly:

      if(isset($_REQUEST['saveandreturn']))

      { $url = new CUrl(urldecode($_REQUEST['backurl'])); jsRedirect($url->getUrl()); exit(); }

      The $_REQUEST['backurl'] parameter can be manipulated to perform the XSS attack. Using a proxy capture the parameters request and replace the backurl parameter with the following: </script><script>alert('XSS');</script> (see attachment for PoC).

      Fix: Sanitze the backurl request parameter and don't assume the user is going to leave the <url>.php in place

        1. zabbix_cookie1.png
          65 kB
          Damian Tommasino
        2. zabbix_xss2.png
          48 kB
          Damian Tommasino

            Unassigned Unassigned
            infosec01 Damian Tommasino
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: