Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-4668

Path disclosure vulnerability when use API

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Won't fix
    • Icon: Minor Minor
    • None
    • 1.9.9 (beta)
    • API (A)
    • None
    • latest trunk r25374

      If something wrong with an API request then in a response I can see full path to the source files in a debug section.
      Authorized user has "Debug mode" enabled.

      Yes, it's full path:
      /zab/www-dev/zabbix20/api/classes/class.cusermacro.php

      Recently a similar case for frontend has been fixed in ZBX-3840

      Request:
      {"jsonrpc":"2.0","method":"usermacro.deleteglobal","params":["{$MACRO1}"],"id":0,"auth":"c6f72a1a2ee604002b6bd72b8586335a"}
      Response:
      {
      "jsonrpc":"2.0",
      "error":{
      "code":-32602,
      "message":"Invalid params.",
      "data":"Global macro with globalmacroid \"{$MACRO1}\" does not exist.",
      "debug":[
      {
      "file":"/zab/www-dev/zabbix20/api/classes/class.cusermacro.php",
      "line":594,
      "function":"exception",
      "class":"CZBXAPI",
      "type":"::",
      "args":[
      100,
      "Global macro with globalmacroid \"{$MACRO1}\" does not exist."
      ]
      ... trimmed

            Unassigned Unassigned
            zalex_ua Oleksii Zagorskyi
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: