ZABBIX BUGS AND ISSUES

Persistent Cross Site Scripting Vulnerabilities

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: 1.8.5
  • Fix Version/s: 1.8.10, 1.9.9 (beta)
  • Component/s: Frontend (F)
  • Labels:
  • Environment:
    Debian GNU/Linux 5.0.8 (Lenny)
    Apache 2.2.16
    PHP 5.3.3

    Tested with:
    Mozilla Firefox 5.0
  • Zabbix ID:
    Reviewed 2.0

Description

These URL's are vulnerable to persistent XSS attacks due to improper sanitation of gname variable when creating user and host groups.

URL:
hostgroups.php
usergrps.php

Vulnerable parameter:
gname

Method:
POST

Injected:
"</options><script>alert('XSS')</script>

Persists in:
http://test/zabbix/hostgroups.php
http://test/zabbix/users.php
http://test/zabbix/hosts.php?form=update&hostid=N (where N is a valid hostid)
http://test/zabbix/scripts.php?form=1&scriptid=N (where N is a valid scriptid)
http://test/zabbix/maintenance.php
  1. 1.png
    91 kB
    2011 Aug 04 06:21
  2. 2.png
    86 kB
    2011 Aug 04 06:21
  3. 3.png
    94 kB
    2011 Aug 04 06:21
  4. 4.png
    97 kB
    2011 Aug 04 06:23
  5. link_indicator.jpg
    25 kB
    2011 Nov 14 16:54
  6. monitoring_dashboard.jpg
    37 kB
    2011 Dec 02 16:20
  7. monitoring_maps.jpg
    31 kB
    2011 Dec 02 16:46
  8. timeperiod.jpg
    21 kB
    2011 Nov 11 22:52
  9. triggers_items.jpg
    40 kB
    2011 Nov 11 23:07

Issue Links

Activity

Hide
Pavels Jelisejevs added a comment -

RESOLVED.

Show
Pavels Jelisejevs added a comment - RESOLVED.
Hide
Pavels Jelisejevs added a comment -

Merged to /branches/1.8 revision r23578.

Show
Pavels Jelisejevs added a comment - Merged to /branches/1.8 revision r23578.
Hide
Pavels Jelisejevs added a comment - - edited

(4) Fixed another issue in /branches/dev/ZBX-4015 r23588. Please review.

<sasha> CLOSED

Show
Pavels Jelisejevs added a comment - - edited (4) Fixed another issue in /branches/dev/ZBX-4015 r23588. Please review. <sasha> CLOSED
Hide
Pavels Jelisejevs added a comment - - edited

(5) Added a fix for the trunk to /branches/dev/ZBX-4015-trunk. Please review.

<sasha> CLOSED

Show
Pavels Jelisejevs added a comment - - edited (5) Added a fix for the trunk to /branches/dev/ZBX-4015-trunk. Please review. <sasha> CLOSED
Hide
richlv added a comment - - edited

(6) see ZBX-4413 for a regression, caused by this

<pavels> RESOLVED in branches/dev/ZBX-4015 r23697.

<richlv> wouldn't this change it functionally (remove those spaces, making it look worse ?), and i believe spacing at the end of the line has not been updated according to the guidelines

  • $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.SPACE.'+'.SPACE.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no'));
    + $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.' + '.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no'));

<pavels> It doesn't change anything, I just replaced the   character with a literal space. Fixed the spacing.
<sasha> CLOSED
<richlv> huh, sorry about that "functionality" part - lack of sleep did it's part. still CLOSED

Show
richlv added a comment - - edited (6) see ZBX-4413 for a regression, caused by this <pavels> RESOLVED in branches/dev/ZBX-4015 r23697. <richlv> wouldn't this change it functionally (remove those spaces, making it look worse ?), and i believe spacing at the end of the line has not been updated according to the guidelines
  • $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.SPACE.'+'.SPACE.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no')); + $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.' + '.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no'));
<pavels> It doesn't change anything, I just replaced the   character with a literal space. Fixed the spacing. <sasha> CLOSED <richlv> huh, sorry about that "functionality" part - lack of sleep did it's part. still CLOSED
Hide
Pavels Jelisejevs added a comment - - edited

(7) Fixed XSS in the profiler and some HTML entity issues in branches/dev/ZBX-4015-trunk. Please review.

<sasha> REOPENED
(7.1) Monitoring->Dashboard - hints
https://support.zabbix.com/secure/attachment/17578/monitoring_dashboard.jpg
(7.2) Monitoring->Maps - Element menu
https://support.zabbix.com/secure/attachment/17579/monitoring_maps.jpg

<pavels> RESOLVED.
<sasha> CLOSED

Show
Pavels Jelisejevs added a comment - - edited (7) Fixed XSS in the profiler and some HTML entity issues in branches/dev/ZBX-4015-trunk. Please review. <sasha> REOPENED (7.1) Monitoring->Dashboard - hints https://support.zabbix.com/secure/attachment/17578/monitoring_dashboard.jpg (7.2) Monitoring->Maps - Element menu https://support.zabbix.com/secure/attachment/17579/monitoring_maps.jpg <pavels> RESOLVED. <sasha> CLOSED
Hide
Pavels Jelisejevs added a comment -

Merged to 1.8 revision r23754.

Show
Pavels Jelisejevs added a comment - Merged to 1.8 revision r23754.
Hide
Pavels Jelisejevs added a comment -

Merged to trunk revision 23800.

CLOSED.

Show
Pavels Jelisejevs added a comment - Merged to trunk revision 23800. CLOSED.
Hide
Pavels Jelisejevs added a comment - - edited

(8) [GUI] Rich suggested, that using non ASCII characters in the code may cause problems, so I changed the HTML encoding strategy to ignore ampersands. This will allow us to use HTML encoded characters in the code.

Please review my commit to /branches/dev/ZBX-4015-trunk r23855.

REOPENED and RESOLVED.
<sasha> CLOSED

Show
Pavels Jelisejevs added a comment - - edited (8) [GUI] Rich suggested, that using non ASCII characters in the code may cause problems, so I changed the HTML encoding strategy to ignore ampersands. This will allow us to use HTML encoded characters in the code. Please review my commit to /branches/dev/ZBX-4015-trunk r23855. REOPENED and RESOLVED. <sasha> CLOSED
Hide
Alexander Vladishev added a comment -

branches/dev/ZBX-4015 (1.8) Successfully TESTED

Show
Alexander Vladishev added a comment - branches/dev/ZBX-4015 (1.8) Successfully TESTED
Hide
Pavels Jelisejevs added a comment -

Updated trunk r23875 and 1.8 r23878.

CLOSED.

Show
Pavels Jelisejevs added a comment - Updated trunk r23875 and 1.8 r23878. CLOSED.
Hide
richlv added a comment -

this resulted in a regression : ZBX-4506

Show
richlv added a comment - this resulted in a regression : ZBX-4506

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: