Details

      Description

      A file "popup_bitem.php" allows to pass argument "itemid" unsanitised.

        Activity

        Hide
        Alexander Vladishev added a comment - - edited

        Fixed in pre-2.0.2 r28981 and pre-2.1.0 (beta) r28982.

        Show
        Alexander Vladishev added a comment - - edited Fixed in pre-2.0.2 r28981 and pre-2.1.0 (beta) r28982.
        Hide
        Takanori Suzuki added a comment -

        Hi.

        This issue also affect to Zabbix 1.8.x.
        I could make a exploit for 1.8.x by using example from following exploit. It succeeded to get user's session id.
        http://www.exploit-db.com/exploits/20087/

        I made a patch for Zabbix 1.8.x.
        Could you apply my patch to 1.8.x branch?
        https://gist.github.com/3181678

        Show
        Takanori Suzuki added a comment - Hi. This issue also affect to Zabbix 1.8.x. I could make a exploit for 1.8.x by using example from following exploit. It succeeded to get user's session id. http://www.exploit-db.com/exploits/20087/ I made a patch for Zabbix 1.8.x. Could you apply my patch to 1.8.x branch? https://gist.github.com/3181678
        Hide
        Alexey Fukalov added a comment -

        dev branch: svn://svn.zabbix.com/branches/dev/ZBX-5348
        this fix should be used for 2.0 and trunk too.

        Show
        Alexey Fukalov added a comment - dev branch: svn://svn.zabbix.com/branches/dev/ZBX-5348 this fix should be used for 2.0 and trunk too.
        Hide
        Toms added a comment -

        TESTED

        Show
        Toms added a comment - TESTED
        Hide
        Alexander Vladishev added a comment -

        Also fixed in pre-1.8.15 r29282

        Show
        Alexander Vladishev added a comment - Also fixed in pre-1.8.15 r29282
        Hide
        Takanori Suzuki added a comment -

        I checked pre-1.8.15 r29282 works good.
        My exploit for 1.8.x doesn't get session id any more.
        Thank you.

        Show
        Takanori Suzuki added a comment - I checked pre-1.8.15 r29282 works good. My exploit for 1.8.x doesn't get session id any more. Thank you.

          People

          • Assignee:
            Unassigned
            Reporter:
            Oleksiy Zagorskyi
          • Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: