Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-9697

HTTP server DoS, because of insufficient check on 'width' GET parameter

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Duplicate
    • Icon: Trivial Trivial
    • None
    • 2.4.5
    • Frontend (F)
    • None
    • server: CentOS 7.0, zabbix-server-2.4.3-1.el7.x86_64
      client: ubuntu 15.04, Chrome 39.0.2171.95 (64-bit)

      We have recently met a problem when user have multiple monitors and moves browser window from one to monitor to another. Each monitor has different width (in our case changing between width=1776 to width= 1711) when zabbix graph is opened leads to hung zabbix php process, 100% CPU usage and HTTP DoS.

      Here is the log entries, that lead to server DoS:
      172.16.30.X - - [09/Jul/2015:12:06:52 +1000] "POST /jsrpc.php?output=json-rpc HTTP/1.1" 200 64 "https://zabbix.farpost.ru/history.php?itemids[0]=118980&action=showgraph&sid=49f11ec0078279a6" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"
      172.16.30.78 - - [09/Jul/2015:12:06:37 +1000] "GET /chart.php?sid=49f11ec0078279a6&period=21600&stime=20160625033404&itemids%5B0%5D=118980&type=0&updateProfile=1&profileIdx=web.item.graph&profileIdx2=118980&width=-59&screenid=&curtime=1436406822554 HTTP/1.1" 500 881 "https://zabbix.farpost.ru/history.php?itemids[0]=118980&action=showgraph&sid=49f11ec0078279a6" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"
      172.16.30.78 - - [09/Jul/2015:12:06:42 +1000] "GET /chart.php?sid=49f11ec0078279a6&period=21600&stime=20160625033404&itemids%5B0%5D=118980&type=0&updateProfile=1&profileIdx=web.item.graph&profileIdx2=118980&width=-59&screenid=&curtime=1436406852555 HTTP/1.1" 500 881 "https://zabbix.farpost.ru/history.php?itemids[0]=118980&action=showgraph&sid=49f11ec0078279a6" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"
      172.16.30.78 - - [09/Jul/2015:12:06:47 +1000] "GET /chart.php?sid=49f11ec0078279a6&period=21600&stime=20160625033404&itemids%5B0%5D=118980&type=0&updateProfile=1&profileIdx=web.item.graph&profileIdx2=118980&width=-59&screenid=&curtime=1436406883555 HTTP/1.1" 500 881 "https://zabbix.farpost.ru/history.php?itemids[0]=118980&action=showgraph&sid=49f11ec0078279a6" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"
      172.16.30.78 - - [09/Jul/2015:12:06:52 +1000] "GET /chart.php?sid=49f11ec0078279a6&period=21600&stime=20160625033404&itemids%5B0%5D=118980&type=0&updateProfile=1&profileIdx=web.item.graph&profileIdx2=118980&width=-59&screenid=&curtime=1436406914556 HTTP/1.1" 500 881 "https://zabbix.farpost.ru/history.php?itemids[0]=118980&action=showgraph&sid=49f11ec0078279a6" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

      The problematic parameter is "width=-59" (why? I don't know), these requests were not manually crafted, but generated by your JS code.

      As you can see in CLineGraphDraw.php:1127, there is an infinite loop there. If you pass negative parameter it hangs forever. Passing very large numbers also affects frontend php cpu utilization.

      So JS by default requests new graph every 5 seconds, each such request leads to 100% CPU utilization of one CPU, this leads to quiet fast server degradation and DoS.

      I would suggest more strict validation on "width" parameter or checking while conditions more thoroughly.

      Best regards,
      Artyom A. Konovalenko

            Unassigned Unassigned
            nopius Artyom A. Konovalenko
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: