Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-4015

Persistent Cross Site Scripting Vulnerabilities

XMLWordPrintable

    • Icon: Defect (Security) Defect (Security)
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • 1.8.10, 1.9.9 (beta)
    • 1.8.5
    • Frontend (F)
    • Debian GNU/Linux 5.0.8 (Lenny)
      Apache 2.2.16
      PHP 5.3.3

      Tested with:
      Mozilla Firefox 5.0

      These URL's are vulnerable to persistent XSS attacks due to improper sanitation of gname variable when creating user and host groups.

      URL:
      hostgroups.php
      usergrps.php

      Vulnerable parameter:
      gname

      Method:
      POST

      Injected:
      "</options><script>alert('XSS')</script>

      Persists in:
      http://test/zabbix/hostgroups.php
      http://test/zabbix/users.php
      http://test/zabbix/hosts.php?form=update&hostid=N (where N is a valid hostid)
      http://test/zabbix/scripts.php?form=1&scriptid=N (where N is a valid scriptid)
      http://test/zabbix/maintenance.php

        1. triggers_items.jpg
          40 kB
          Alexander Vladishev
        2. timeperiod.jpg
          21 kB
          Alexander Vladishev
        3. monitoring_maps.jpg
          31 kB
          Alexander Vladishev
        4. monitoring_dashboard.jpg
          37 kB
          Alexander Vladishev
        5. link_indicator.jpg
          25 kB
          Alexander Vladishev
        6. 4.png
          97 kB
          Martina Matari
        7. 3.png
          94 kB
          Martina Matari
        8. 2.png
          86 kB
          Martina Matari
        9. 1.png
          91 kB
          Martina Matari

            Unassigned Unassigned
            mmatari Martina Matari
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: