ZABBIX BUGS AND ISSUES

Persistent Cross Site Scripting Vulnerabilities

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: 1.8.5
  • Fix Version/s: 1.8.10, 1.9.9 (beta)
  • Component/s: Frontend (F)
  • Labels:
  • Environment:
    Debian GNU/Linux 5.0.8 (Lenny)
    Apache 2.2.16
    PHP 5.3.3

    Tested with:
    Mozilla Firefox 5.0
  • Zabbix ID:
    Reviewed 2.0

Description

These URL's are vulnerable to persistent XSS attacks due to improper sanitation of gname variable when creating user and host groups.

URL:
hostgroups.php
usergrps.php

Vulnerable parameter:
gname

Method:
POST

Injected:
"</options><script>alert('XSS')</script>

Persists in:
http://test/zabbix/hostgroups.php
http://test/zabbix/users.php
http://test/zabbix/hosts.php?form=update&hostid=N (where N is a valid hostid)
http://test/zabbix/scripts.php?form=1&scriptid=N (where N is a valid scriptid)
http://test/zabbix/maintenance.php
  1. 1.png
    91 kB
    2011 Aug 04 06:21
  2. 2.png
    86 kB
    2011 Aug 04 06:21
  3. 3.png
    94 kB
    2011 Aug 04 06:21
  4. 4.png
    97 kB
    2011 Aug 04 06:23
  5. link_indicator.jpg
    25 kB
    2011 Nov 14 16:54
  6. monitoring_dashboard.jpg
    37 kB
    2011 Dec 02 16:20
  7. monitoring_maps.jpg
    31 kB
    2011 Dec 02 16:46
  8. timeperiod.jpg
    21 kB
    2011 Nov 11 22:52
  9. triggers_items.jpg
    40 kB
    2011 Nov 11 23:07

Issue Links

Activity

Martina Matari made changes -
Field Original Value New Value
Attachment 4.png [ 15721 ]
Alexei Vladishev made changes -
Labels security
Fix Version/s 2.0 [ 10402 ]
Priority Minor [ 4 ] Blocker [ 1 ]
Zabbix ID NA Reviewed 2.0
Alexey Fukalov made changes -
Assignee Pavels Jelisejevs [ jelisejev ]
Hide
Pavels Jelisejevs added a comment -

RESOLVED.

Show
Pavels Jelisejevs added a comment - RESOLVED.
Pavels Jelisejevs made changes -
Status Open [ 1 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Pavels Jelisejevs made changes -
Resolution Fixed [ 1 ]
Status Resolved [ 5 ] Reopened [ 4 ]
Pavels Jelisejevs made changes -
Status Reopened [ 4 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Alexander Vladishev made changes -
Attachment timeperiod.jpg [ 17289 ]
Alexander Vladishev made changes -
Resolution Fixed [ 1 ]
Status Resolved [ 5 ] Reopened [ 4 ]
Alexander Vladishev made changes -
Attachment triggers_items.jpg [ 17290 ]
Pavels Jelisejevs made changes -
Status Reopened [ 4 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Alexander Vladishev made changes -
Attachment link_indicator.jpg [ 17300 ]
Pavels Jelisejevs made changes -
Resolution Fixed [ 1 ]
Status Resolved [ 5 ] Reopened [ 4 ]
Pavels Jelisejevs made changes -
Comment [ By the way, there is a separate fix for trunk-specific issues in branches/dev/ZBX-4015-trunk. ]
Pavels Jelisejevs made changes -
Status Reopened [ 4 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Alexander Vladishev made changes -
Resolution Fixed [ 1 ]
Status Resolved [ 5 ] Reopened [ 4 ]
Pavels Jelisejevs made changes -
Status Reopened [ 4 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Alexei Vladishev made changes -
Resolution Fixed [ 1 ]
Status Resolved [ 5 ] Reopened [ 4 ]
Pavels Jelisejevs made changes -
Status Reopened [ 4 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Alexander Vladishev made changes -
Assignee Pavels Jelisejevs [ jelisejev ] Alexander Vladishev [ sasha ]
Alexander Vladishev made changes -
Status Resolved [ 5 ] Tested [ 10002 ]
Assignee Alexander Vladishev [ sasha ] Pavels Jelisejevs [ jelisejev ]
Hide
Pavels Jelisejevs added a comment -

Merged to /branches/1.8 revision r23578.

Show
Pavels Jelisejevs added a comment - Merged to /branches/1.8 revision r23578.
Hide
Pavels Jelisejevs added a comment - - edited

(4) Fixed another issue in /branches/dev/ZBX-4015 r23588. Please review.

<sasha> CLOSED

Show
Pavels Jelisejevs added a comment - - edited (4) Fixed another issue in /branches/dev/ZBX-4015 r23588. Please review. <sasha> CLOSED
Hide
Pavels Jelisejevs added a comment - - edited

(5) Added a fix for the trunk to /branches/dev/ZBX-4015-trunk. Please review.

<sasha> CLOSED

Show
Pavels Jelisejevs added a comment - - edited (5) Added a fix for the trunk to /branches/dev/ZBX-4015-trunk. Please review. <sasha> CLOSED
Pavels Jelisejevs made changes -
Status Tested [ 10002 ] Reopened [ 4 ]
Pavels Jelisejevs made changes -
Status Reopened [ 4 ] Resolved [ 5 ]
Hide
richlv added a comment - - edited

(6) see ZBX-4413 for a regression, caused by this

<pavels> RESOLVED in branches/dev/ZBX-4015 r23697.

<richlv> wouldn't this change it functionally (remove those spaces, making it look worse ?), and i believe spacing at the end of the line has not been updated according to the guidelines

  • $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.SPACE.'+'.SPACE.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no'));
    + $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.' + '.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no'));

<pavels> It doesn't change anything, I just replaced the   character with a literal space. Fixed the spacing.
<sasha> CLOSED
<richlv> huh, sorry about that "functionality" part - lack of sleep did it's part. still CLOSED

Show
richlv added a comment - - edited (6) see ZBX-4413 for a regression, caused by this <pavels> RESOLVED in branches/dev/ZBX-4015 r23697. <richlv> wouldn't this change it functionally (remove those spaces, making it look worse ?), and i believe spacing at the end of the line has not been updated according to the guidelines
  • $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.SPACE.'+'.SPACE.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no')); + $type_select->additem(TRIGGER_MULT_EVENT_ENABLED,S_NORMAL.' + '.S_MULTIPLE_PROBLEM_EVENTS,(($type == TRIGGER_MULT_EVENT_ENABLED)? 'yes':'no'));
<pavels> It doesn't change anything, I just replaced the   character with a literal space. Fixed the spacing. <sasha> CLOSED <richlv> huh, sorry about that "functionality" part - lack of sleep did it's part. still CLOSED
Pavels Jelisejevs made changes -
Resolution Fixed [ 1 ]
Status Resolved [ 5 ] Reopened [ 4 ]
Pavels Jelisejevs made changes -
Link This issue is duplicated by ZBX-4413 [ ZBX-4413 ]
Hide
Pavels Jelisejevs added a comment - - edited

(7) Fixed XSS in the profiler and some HTML entity issues in branches/dev/ZBX-4015-trunk. Please review.

<sasha> REOPENED
(7.1) Monitoring->Dashboard - hints
https://support.zabbix.com/secure/attachment/17578/monitoring_dashboard.jpg
(7.2) Monitoring->Maps - Element menu
https://support.zabbix.com/secure/attachment/17579/monitoring_maps.jpg

<pavels> RESOLVED.
<sasha> CLOSED

Show
Pavels Jelisejevs added a comment - - edited (7) Fixed XSS in the profiler and some HTML entity issues in branches/dev/ZBX-4015-trunk. Please review. <sasha> REOPENED (7.1) Monitoring->Dashboard - hints https://support.zabbix.com/secure/attachment/17578/monitoring_dashboard.jpg (7.2) Monitoring->Maps - Element menu https://support.zabbix.com/secure/attachment/17579/monitoring_maps.jpg <pavels> RESOLVED. <sasha> CLOSED
Pavels Jelisejevs made changes -
Status Reopened [ 4 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Hide
Pavels Jelisejevs added a comment -

Merged to 1.8 revision r23754.

Show
Pavels Jelisejevs added a comment - Merged to 1.8 revision r23754.
Alexander Vladishev made changes -
Attachment monitoring_dashboard.jpg [ 17578 ]
Alexander Vladishev made changes -
Attachment monitoring_maps.jpg [ 17579 ]
Alexander Vladishev made changes -
Resolution Fixed [ 1 ]
Status Resolved [ 5 ] Reopened [ 4 ]
Pavels Jelisejevs made changes -
Status Reopened [ 4 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Alexander Vladishev made changes -
Assignee Pavels Jelisejevs [ jelisejev ] Alexander Vladishev [ sasha ]
Alexander Vladishev made changes -
Status Resolved [ 5 ] Tested [ 10002 ]
Assignee Alexander Vladishev [ sasha ] Pavels Jelisejevs [ jelisejev ]
Hide
Pavels Jelisejevs added a comment -

Merged to trunk revision 23800.

CLOSED.

Show
Pavels Jelisejevs added a comment - Merged to trunk revision 23800. CLOSED.
Pavels Jelisejevs made changes -
Status Tested [ 10002 ] Closed [ 6 ]
Fix Version/s 1.8.10 [ 10506 ]
Fix Version/s 1.9.9 (trunk) [ 10800 ]
Fix Version/s 2.0 [ 10402 ]
Hide
Pavels Jelisejevs added a comment - - edited

(8) [GUI] Rich suggested, that using non ASCII characters in the code may cause problems, so I changed the HTML encoding strategy to ignore ampersands. This will allow us to use HTML encoded characters in the code.

Please review my commit to /branches/dev/ZBX-4015-trunk r23855.

REOPENED and RESOLVED.
<sasha> CLOSED

Show
Pavels Jelisejevs added a comment - - edited (8) [GUI] Rich suggested, that using non ASCII characters in the code may cause problems, so I changed the HTML encoding strategy to ignore ampersands. This will allow us to use HTML encoded characters in the code. Please review my commit to /branches/dev/ZBX-4015-trunk r23855. REOPENED and RESOLVED. <sasha> CLOSED
Pavels Jelisejevs made changes -
Resolution Fixed [ 1 ]
Status Closed [ 6 ] Reopened [ 4 ]
Alexander Vladishev made changes -
Status Reopened [ 4 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Alexander Vladishev made changes -
Status Resolved [ 5 ] Tested [ 10002 ]
Hide
Alexander Vladishev added a comment -

branches/dev/ZBX-4015 (1.8) Successfully TESTED

Show
Alexander Vladishev added a comment - branches/dev/ZBX-4015 (1.8) Successfully TESTED
Hide
Pavels Jelisejevs added a comment -

Updated trunk r23875 and 1.8 r23878.

CLOSED.

Show
Pavels Jelisejevs added a comment - Updated trunk r23875 and 1.8 r23878. CLOSED.
Pavels Jelisejevs made changes -
Status Tested [ 10002 ] Closed [ 6 ]
Hide
richlv added a comment -

this resulted in a regression : ZBX-4506

Show
richlv added a comment - this resulted in a regression : ZBX-4506

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: