Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.8
    • Fix Version/s: 2.0.9rc1, 2.1.5
    • Component/s: Frontend (F)
    • Labels:
      None
    • Environment:
      Ubuntu

      Description

      The default_theme is set by an administrative user who has access to adm.gui.php

      adm.gui.php:
      $configs = array(
      'default_theme' => get_request('default_theme'),
      ...
      update_config($configs)

      default_theme is not sanitized before being stored in the database

      page_header.php:
      $css = $config['default_theme'];
      <body class="<?php echo $css; ?>">

      Example:
      http://zabbixserver/zabbix/adm.gui.php?sid=f449c57db01c1234&form_refresh=1&form_refresh=1&default_theme=originalblue">test1234<script>alert("xss")</script>&dropdown_first_entry=1&dropdown_first_remember=1&search_limit=1000&max_in_table=50&event_ack_enable=1&event_expire=7&event_show_max=100&server_check_interval=10&save=Save

      (change sid to valid admin sid)

      Response:
      <body class="originalblue">
      test1234
      <script>
      alert("xss")
      </script>
      /main.css" />

      page_header.php is called in every page

      blah@blah:/var/www/zabbix$ grep -i "page_header" ./*
      /acknow.php:require_once dirname(_FILE_).'/include/page_header.php';
      ./actionconf.php:require_once dirname(_FILE_).'/include/page_header.php';
      ./adm.gui.php:require_once dirname(_FILE_).'/include/page_header.php';
      ./adm.housekeeper.php:require_once dirname(_FILE_).'/include/page_header.php';
      ./adm.iconmapping.php:require_once dirname(_FILE_).'/include/page_header.php';
      ....truncated....

      The theme saved is displayed for every user on every page, making this critical.

      Thanks

      -Lincoln

        Activity

        Hide
        Ivo Kurzemnieks added a comment -

        RESOLVED for 2.0 in svn://svn.zabbix.com/branches/dev/ZBX-6952

        Show
        Ivo Kurzemnieks added a comment - RESOLVED for 2.0 in svn://svn.zabbix.com/branches/dev/ZBX-6952
        Hide
        Pavels Jelisejevs added a comment - - edited

        (1) The same vulnerability exists on the profile and user configuration pages.

        Ivo Kurzemnieks RESOLVED for 2.0 svn://svn.zabbix.com/branches/dev/ZBX-6952 in r38546 (ChangeLog update in r38547)

        Pavels Jelisejevs It also has to be fixed on the user configuration page (users.php).

        Ivo Kurzemnieks RESOLVED in r38560

        Pavels Jelisejevs CLOSED.

        Show
        Pavels Jelisejevs added a comment - - edited (1) The same vulnerability exists on the profile and user configuration pages. Ivo Kurzemnieks RESOLVED for 2.0 svn://svn.zabbix.com/branches/dev/ZBX-6952 in r38546 (ChangeLog update in r38547) Pavels Jelisejevs It also has to be fixed on the user configuration page (users.php). Ivo Kurzemnieks RESOLVED in r38560 Pavels Jelisejevs CLOSED.
        Hide
        Pavels Jelisejevs added a comment - - edited

        (2) The name of the CSS theme file and body class must be escaped in page_header.php.

        Ivo Kurzemnieks RESOLVED for 2.0 svn://svn.zabbix.com/branches/dev/ZBX-6952 in r38546 (ChangeLog update in r38547)

        Pavels Jelisejevs CLOSED.

        Show
        Pavels Jelisejevs added a comment - - edited (2) The name of the CSS theme file and body class must be escaped in page_header.php. Ivo Kurzemnieks RESOLVED for 2.0 svn://svn.zabbix.com/branches/dev/ZBX-6952 in r38546 (ChangeLog update in r38547) Pavels Jelisejevs CLOSED.
        Hide
        Pavels Jelisejevs added a comment - - edited

        (3) Please add theme validation in the users API (trunk only).

        Ivo Kurzemnieks RESOLVED for trunk in svn://svn.zabbix.com/branches/dev/ZBX-6952-trunk r38553

        Pavels Jelisejevs I've made some changes in r38555, please review.

        Ivo Kurzemnieks REVIEWED. Thanks! Made a small update for trunk regarding (1). See r38559

        Pavels Jelisejevs CLOSED.

        Show
        Pavels Jelisejevs added a comment - - edited (3) Please add theme validation in the users API (trunk only). Ivo Kurzemnieks RESOLVED for trunk in svn://svn.zabbix.com/branches/dev/ZBX-6952-trunk r38553 Pavels Jelisejevs I've made some changes in r38555, please review. Ivo Kurzemnieks REVIEWED. Thanks! Made a small update for trunk regarding (1). See r38559 Pavels Jelisejevs CLOSED.
        Hide
        Pavels Jelisejevs added a comment -

        TESTED.

        Show
        Pavels Jelisejevs added a comment - TESTED.
        Hide
        Ivo Kurzemnieks added a comment -

        Fixed in pre-2.0.9rc1 r38565 and pre-2.1.5 (trunk) r38566

        Show
        Ivo Kurzemnieks added a comment - Fixed in pre-2.0.9rc1 r38565 and pre-2.1.5 (trunk) r38566
        Hide
        Pavels Jelisejevs added a comment - - edited

        (4) The fix for theme validation should be noted in the 2.2 API changelog.

        Ivo Kurzemnieks RESOLVED.
        Please review: https://www.zabbix.com/documentation/2.2/manual/api/changes_2.0_-_2.2?do=diff&rev2[0]=1379489843&rev2[1]=

        Pavels Jelisejevs CLOSED.

        Show
        Pavels Jelisejevs added a comment - - edited (4) The fix for theme validation should be noted in the 2.2 API changelog. Ivo Kurzemnieks RESOLVED. Please review: https://www.zabbix.com/documentation/2.2/manual/api/changes_2.0_-_2.2?do=diff&rev2[0]=1379489843&rev2[1]= Pavels Jelisejevs CLOSED.

          People

          • Assignee:
            Ivo Kurzemnieks
            Reporter:
            Lincoln
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: