ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-4015

Persistent Cross Site Scripting Vulnerabilities

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.8.5
    • Fix Version/s: 1.8.10, 1.9.9 (beta)
    • Component/s: Frontend (F)
    • Labels:
    • Environment:
      Debian GNU/Linux 5.0.8 (Lenny)
      Apache 2.2.16
      PHP 5.3.3

      Tested with:
      Mozilla Firefox 5.0

      Description

      These URL's are vulnerable to persistent XSS attacks due to improper sanitation of gname variable when creating user and host groups.

      URL:
      hostgroups.php
      usergrps.php

      Vulnerable parameter:
      gname

      Method:
      POST

      Injected:
      "</options><script>alert('XSS')</script>

      Persists in:
      http://test/zabbix/hostgroups.php
      http://test/zabbix/users.php
      http://test/zabbix/hosts.php?form=update&hostid=N (where N is a valid hostid)
      http://test/zabbix/scripts.php?form=1&scriptid=N (where N is a valid scriptid)
      http://test/zabbix/maintenance.php

      1. 1.png
        91 kB
      2. 2.png
        86 kB
      3. 3.png
        94 kB
      4. 4.png
        97 kB
      5. link_indicator.jpg
        25 kB
      6. monitoring_dashboard.jpg
        37 kB
      7. monitoring_maps.jpg
        31 kB
      8. timeperiod.jpg
        21 kB
      9. triggers_items.jpg
        40 kB

        Issue Links

          Activity

          Martina Matari created issue -
          Martina Matari made changes -
          Field Original Value New Value
          Attachment 4.png [ 15721 ]
          Alexei Vladishev made changes -
          Labels security
          Fix Version/s 2.0 [ 10402 ]
          Priority Minor [ 4 ] Blocker [ 1 ]
          Zabbix ID NA Reviewed 2.0
          Alexey Fukalov made changes -
          Assignee Pavels Jelisejevs [ jelisejev ]
          Hide
          Pavels Jelisejevs added a comment -

          RESOLVED.

          Show
          Pavels Jelisejevs added a comment - RESOLVED.
          Pavels Jelisejevs made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Pavels Jelisejevs made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Pavels Jelisejevs made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Alexander Vladishev made changes -
          Attachment timeperiod.jpg [ 17289 ]
          Alexander Vladishev made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Alexander Vladishev made changes -
          Attachment triggers_items.jpg [ 17290 ]
          Pavels Jelisejevs made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Alexander Vladishev made changes -
          Attachment link_indicator.jpg [ 17300 ]
          Pavels Jelisejevs made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Pavels Jelisejevs made changes -
          Comment [ By the way, there is a separate fix for trunk-specific issues in branches/dev/ZBX-4015-trunk. ]
          Pavels Jelisejevs made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Alexander Vladishev made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Pavels Jelisejevs made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Alexei Vladishev made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Pavels Jelisejevs made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Alexander Vladishev made changes -
          Assignee Pavels Jelisejevs [ jelisejev ] Alexander Vladishev [ sasha ]
          Alexander Vladishev made changes -
          Status Resolved [ 5 ] Tested [ 10002 ]
          Assignee Alexander Vladishev [ sasha ] Pavels Jelisejevs [ jelisejev ]
          Hide
          Pavels Jelisejevs added a comment -

          Merged to /branches/1.8 revision r23578.

          Show
          Pavels Jelisejevs added a comment - Merged to /branches/1.8 revision r23578.
          Hide
          Pavels Jelisejevs added a comment - - edited

          (4) Fixed another issue in /branches/dev/ZBX-4015 r23588. Please review.

          <sasha> CLOSED

          Show
          Pavels Jelisejevs added a comment - - edited (4) Fixed another issue in /branches/dev/ ZBX-4015 r23588. Please review. <sasha> CLOSED
          Hide
          Pavels Jelisejevs added a comment - - edited

          (5) Added a fix for the trunk to /branches/dev/ZBX-4015-trunk. Please review.

          <sasha> CLOSED

          Show
          Pavels Jelisejevs added a comment - - edited (5) Added a fix for the trunk to /branches/dev/ ZBX-4015 -trunk. Please review. <sasha> CLOSED
          Pavels Jelisejevs made changes -
          Status Tested [ 10002 ] Reopened [ 4 ]
          Pavels Jelisejevs made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Hide
          richlv added a comment - - edited

          (6) see ZBX-4413 for a regression, caused by this

          <pavels> RESOLVED in branches/dev/ZBX-4015 r23697.

          <richlv> wouldn't this change it functionally (remove those spaces, making it look worse ?), and i believe spacing at the end of the line has not been updated according to the guidelines

          • $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.SPACE.'+'.SPACE.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no'));
            + $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.' + '.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no'));

          <pavels> It doesn't change anything, I just replaced the   character with a literal space. Fixed the spacing.
          <sasha> CLOSED
          <richlv> huh, sorry about that "functionality" part - lack of sleep did it's part. still CLOSED

          Show
          richlv added a comment - - edited (6) see ZBX-4413 for a regression, caused by this <pavels> RESOLVED in branches/dev/ ZBX-4015 r23697. <richlv> wouldn't this change it functionally (remove those spaces, making it look worse ?), and i believe spacing at the end of the line has not been updated according to the guidelines $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.SPACE.'+'.SPACE.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no')); + $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.' + '.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no')); <pavels> It doesn't change anything, I just replaced the   character with a literal space. Fixed the spacing. <sasha> CLOSED <richlv> huh, sorry about that "functionality" part - lack of sleep did it's part. still CLOSED
          Pavels Jelisejevs made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Pavels Jelisejevs made changes -
          Link This issue is duplicated by ZBX-4413 [ ZBX-4413 ]
          Hide
          Pavels Jelisejevs added a comment - - edited

          (7) Fixed XSS in the profiler and some HTML entity issues in branches/dev/ZBX-4015-trunk. Please review.

          <sasha> REOPENED
          (7.1) Monitoring->Dashboard - hints
          https://support.zabbix.com/secure/attachment/17578/monitoring_dashboard.jpg
          (7.2) Monitoring->Maps - Element menu
          https://support.zabbix.com/secure/attachment/17579/monitoring_maps.jpg

          <pavels> RESOLVED.
          <sasha> CLOSED

          Show
          Pavels Jelisejevs added a comment - - edited (7) Fixed XSS in the profiler and some HTML entity issues in branches/dev/ ZBX-4015 -trunk. Please review. <sasha> REOPENED (7.1) Monitoring->Dashboard - hints https://support.zabbix.com/secure/attachment/17578/monitoring_dashboard.jpg (7.2) Monitoring->Maps - Element menu https://support.zabbix.com/secure/attachment/17579/monitoring_maps.jpg <pavels> RESOLVED. <sasha> CLOSED
          Pavels Jelisejevs made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Hide
          Pavels Jelisejevs added a comment -

          Merged to 1.8 revision r23754.

          Show
          Pavels Jelisejevs added a comment - Merged to 1.8 revision r23754.
          Alexander Vladishev made changes -
          Attachment monitoring_dashboard.jpg [ 17578 ]
          Alexander Vladishev made changes -
          Attachment monitoring_maps.jpg [ 17579 ]
          Alexander Vladishev made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Pavels Jelisejevs made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Alexander Vladishev made changes -
          Assignee Pavels Jelisejevs [ jelisejev ] Alexander Vladishev [ sasha ]
          Alexander Vladishev made changes -
          Status Resolved [ 5 ] Tested [ 10002 ]
          Assignee Alexander Vladishev [ sasha ] Pavels Jelisejevs [ jelisejev ]
          Hide
          Pavels Jelisejevs added a comment -

          Merged to trunk revision 23800.

          CLOSED.

          Show
          Pavels Jelisejevs added a comment - Merged to trunk revision 23800. CLOSED.
          Pavels Jelisejevs made changes -
          Status Tested [ 10002 ] Closed [ 6 ]
          Fix Version/s 1.8.10 [ 10506 ]
          Fix Version/s 1.9.9 (trunk) [ 10800 ]
          Fix Version/s 2.0 [ 10402 ]
          Hide
          Pavels Jelisejevs added a comment - - edited

          (8) [GUI] Rich suggested, that using non ASCII characters in the code may cause problems, so I changed the HTML encoding strategy to ignore ampersands. This will allow us to use HTML encoded characters in the code.

          Please review my commit to /branches/dev/ZBX-4015-trunk r23855.

          REOPENED and RESOLVED.
          <sasha> CLOSED

          Show
          Pavels Jelisejevs added a comment - - edited (8) [GUI] Rich suggested, that using non ASCII characters in the code may cause problems, so I changed the HTML encoding strategy to ignore ampersands. This will allow us to use HTML encoded characters in the code. Please review my commit to /branches/dev/ ZBX-4015 -trunk r23855. REOPENED and RESOLVED. <sasha> CLOSED
          Pavels Jelisejevs made changes -
          Resolution Fixed [ 1 ]
          Status Closed [ 6 ] Reopened [ 4 ]
          Alexander Vladishev made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Alexander Vladishev made changes -
          Status Resolved [ 5 ] Tested [ 10002 ]
          Hide
          Alexander Vladishev added a comment -

          branches/dev/ZBX-4015 (1.8) Successfully TESTED

          Show
          Alexander Vladishev added a comment - branches/dev/ ZBX-4015 (1.8) Successfully TESTED
          Hide
          Pavels Jelisejevs added a comment -

          Updated trunk r23875 and 1.8 r23878.

          CLOSED.

          Show
          Pavels Jelisejevs added a comment - Updated trunk r23875 and 1.8 r23878. CLOSED.
          Pavels Jelisejevs made changes -
          Status Tested [ 10002 ] Closed [ 6 ]
          Hide
          richlv added a comment -

          this resulted in a regression : ZBX-4506

          Show
          richlv added a comment - this resulted in a regression : ZBX-4506
          Alexei Vladishev made changes -
          Workflow Zabbix workflow [ 21895 ] Zabbix workflow - new [ 45085 ]

            People

            • Assignee:
              Pavels Jelisejevs
              Reporter:
              Martina Matari
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: