Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-4015

Persistent Cross Site Scripting Vulnerabilities

XMLWordPrintable

    • Icon: Defect (Security) Defect (Security)
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • 1.8.10, 1.9.9 (beta)
    • 1.8.5
    • Frontend (F)
    • Debian GNU/Linux 5.0.8 (Lenny)
      Apache 2.2.16
      PHP 5.3.3

      Tested with:
      Mozilla Firefox 5.0

      These URL's are vulnerable to persistent XSS attacks due to improper sanitation of gname variable when creating user and host groups.

      URL:
      hostgroups.php
      usergrps.php

      Vulnerable parameter:
      gname

      Method:
      POST

      Injected:
      "</options><script>alert('XSS')</script>

      Persists in:
      http://test/zabbix/hostgroups.php
      http://test/zabbix/users.php
      http://test/zabbix/hosts.php?form=update&hostid=N (where N is a valid hostid)
      http://test/zabbix/scripts.php?form=1&scriptid=N (where N is a valid scriptid)
      http://test/zabbix/maintenance.php

        1. triggers_items.jpg
          triggers_items.jpg
          40 kB
        2. timeperiod.jpg
          timeperiod.jpg
          21 kB
        3. monitoring_maps.jpg
          monitoring_maps.jpg
          31 kB
        4. monitoring_dashboard.jpg
          monitoring_dashboard.jpg
          37 kB
        5. link_indicator.jpg
          link_indicator.jpg
          25 kB
        6. 4.png
          4.png
          97 kB
        7. 3.png
          3.png
          94 kB
        8. 2.png
          2.png
          86 kB
        9. 1.png
          1.png
          91 kB

            Unassigned Unassigned
            mmatari Martina Matari
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: