Details
-
Type:
Incident report
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 1.8.15rc1, 2.0.1
-
Component/s: Frontend (F)
-
Labels:
Description
A file "popup_bitem.php" allows to pass argument "itemid" unsanitised.
Activity
Hi.
This issue also affect to Zabbix 1.8.x.
I could make a exploit for 1.8.x by using example from following exploit. It succeeded to get user's session id.
http://www.exploit-db.com/exploits/20087/
I made a patch for Zabbix 1.8.x.
Could you apply my patch to 1.8.x branch?
https://gist.github.com/3181678
Show
Takanori Suzuki
added a comment - Hi.
This issue also affect to Zabbix 1.8.x.
I could make a exploit for 1.8.x by using example from following exploit. It succeeded to get user's session id.
http://www.exploit-db.com/exploits/20087/
I made a patch for Zabbix 1.8.x.
Could you apply my patch to 1.8.x branch?
https://gist.github.com/3181678
dev branch: svn://svn.zabbix.com/branches/dev/ZBX-5348
this fix should be used for 2.0 and trunk too.
Show
Alexey Fukalov
added a comment - dev branch: svn://svn.zabbix.com/branches/dev/ZBX-5348
this fix should be used for 2.0 and trunk too.
Also fixed in pre-1.8.15 r29282
Show
Alexander Vladishev
added a comment - Also fixed in pre-1.8.15 r29282
I checked pre-1.8.15 r29282 works good.
My exploit for 1.8.x doesn't get session id any more.
Thank you.
Show
Takanori Suzuki
added a comment - I checked pre-1.8.15 r29282 works good.
My exploit for 1.8.x doesn't get session id any more.
Thank you.
Fixed in pre-2.0.2 r28981 and pre-2.1.0 (beta) r28982.