ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-7693

User type "Zabbix Admin" users can modify the media for all Zabbix users - Security hole

    Details

      Description

      Based on the UI, I would assume (and hope) that only Zabbix Super Admins could modify the media for any user. In the UI, only Zabbix Super Admins can get to the Administration tab to make user changes. Using the API, I did a test today and found that a user of type "Zabbix Admin" user can modify the media for any users in the zabbix system! For history on why I found this, see ZBXNEXT-2122.

      CVE-2014-1685

        Activity

        Corey Shaw created issue -
        richlv made changes -
        Field Original Value New Value
        Labels security
        richlv made changes -
        Labels security security usermedia
        Priority Minor [ 4 ] Critical [ 2 ]
        Corey Shaw made changes -
        Attachment ZBX-7693-modify-own-profile.patch [ 26260 ]
        richlv made changes -
        Labels security usermedia patch security usermedia
        Eduards Samersovs (Inactive) made changes -
        Assignee Eduards Samersovs [ eduards ]
        Eduards Samersovs (Inactive) made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Fix Version/s 2.2.2 [ 12012 ]
        Fix Version/s 2.3.0 (trunk) [ 12006 ]
        Resolution Fixed [ 1 ]
        Pavels Jelisejevs (Inactive) made changes -
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Pavels Jelisejevs (Inactive) made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Pavels Jelisejevs (Inactive) made changes -
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Eduards Samersovs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Resolution Fixed [ 1 ]
        Pavels Jelisejevs (Inactive) made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Eduards Samersovs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Resolution Fixed [ 1 ]
        Pavels Jelisejevs (Inactive) made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        richlv made changes -
        Fix Version/s 2.2.2rc1 [ 12011 ]
        Fix Version/s 2.2.2 [ 12012 ]
        richlv made changes -
        Description Based on the UI, I would assume (and hope) that only Zabbix Super Admins could modify the media for any user. In the UI, only Zabbix Super Admins can get to the Administration tab to make user changes. Using the API, I did a test today and found that a user of type "Zabbix Admin" user can modify the media for any users in the zabbix system! For history on why I found this, see ZBXNEXT-2122. Based on the UI, I would assume (and hope) that only Zabbix Super Admins could modify the media for any user. In the UI, only Zabbix Super Admins can get to the Administration tab to make user changes. Using the API, I did a test today and found that a user of type "Zabbix Admin" user can modify the media for any users in the zabbix system! For history on why I found this, see ZBXNEXT-2122.

        CVE-2014-1685
        Eduards Samersovs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Resolution Fixed [ 1 ]
        Pavels Jelisejevs (Inactive) made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Eduards Samersovs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Resolution Fixed [ 1 ]
        Pavels Jelisejevs (Inactive) made changes -
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Eduards Samersovs (Inactive) made changes -
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Pavels Jelisejevs (Inactive) made changes -
        Status Resolved [ 5 ] Tested [ 10002 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Eduards Samersovs (Inactive) made changes -
        Status Tested [ 10002 ] Closed [ 6 ]
        Assignee Eduards Samersovs [ eduards ]
        richlv made changes -
        Resolution Fixed [ 1 ]
        Status Closed [ 6 ] Reopened [ 4 ]
        Pavels Jelisejevs (Inactive) made changes -
        Assignee Pavels Jelisejevs [ jelisejev ]
        Alexander Vladishev made changes -
        Assignee Pavels Jelisejevs [ jelisejev ] Alexander Vladishev [ sasha ]
        Alexander Vladishev made changes -
        Assignee Alexander Vladishev [ sasha ] Pavels Jelisejevs [ jelisejev ]
        Pavels Jelisejevs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Resolution Fixed [ 1 ]
        Eduards Samersovs (Inactive) made changes -
        Status Resolved [ 5 ] Tested [ 10002 ]
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Pavels Jelisejevs (Inactive) made changes -
        Status Tested [ 10002 ] Closed [ 6 ]
        Fix Version/s 1.8.20rc2 [ 12105 ]
        Fix Version/s 2.0.11rc2 [ 12104 ]
        Oleksiy Zagorskyi made changes -
        Labels patch security usermedia patch permissions security usermedia
        Alexey Pustovalov made changes -
        Link This issue is duplicated by SPT-8 [ SPT-8 ]
        Alexei Vladishev made changes -
        Workflow Zabbix workflow [ 33642 ] Zabbix workflow - new [ 47946 ]
        Alexander Vladishev made changes -
        Workflow Zabbix workflow - new [ 47946 ] Copy of Zabbix workflow - new [ 68211 ]
        Alexander Vladishev made changes -
        Workflow Copy of Zabbix workflow - new [ 68211 ] Zabbix workflow - new [ 83433 ]
        Gatis Rumbens made changes -
        Issue Type Bug [ 1 ] Incident report [ 10110 ]
        Zabbix ID NA
        Assignee Pavels Jelisejevs [ jelisejev ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Corey Shaw
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: