Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-4668

Path disclosure vulnerability when use API

    XMLWordPrintable

    Details

    • Type: Incident report
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't fix
    • Affects Version/s: 1.9.9 (beta)
    • Fix Version/s: None
    • Component/s: API (A)
    • Labels:
      None
    • Environment:
      latest trunk r25374

      Description

      If something wrong with an API request then in a response I can see full path to the source files in a debug section.
      Authorized user has "Debug mode" enabled.

      Yes, it's full path:
      /zab/www-dev/zabbix20/api/classes/class.cusermacro.php

      Recently a similar case for frontend has been fixed in ZBX-3840

      Request:
      {"jsonrpc":"2.0","method":"usermacro.deleteglobal","params":["{$MACRO1}"],"id":0,"auth":"c6f72a1a2ee604002b6bd72b8586335a"}
      Response:
      {
      "jsonrpc":"2.0",
      "error":{
      "code":-32602,
      "message":"Invalid params.",
      "data":"Global macro with globalmacroid \"{$MACRO1}\" does not exist.",
      "debug":[
      {
      "file":"/zab/www-dev/zabbix20/api/classes/class.cusermacro.php",
      "line":594,
      "function":"exception",
      "class":"CZBXAPI",
      "type":"::",
      "args":[
      100,
      "Global macro with globalmacroid \"{$MACRO1}\" does not exist."
      ]
      ... trimmed

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              zalex_ua Oleksiy Zagorskyi
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: