[ZBXNEXT-8074] Secure CSRF tokens - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Change Request
Status: Closed
Priority: Trivial
Resolution: Fixed
Affects Version/s: 6.4 (plan)
Fix Version/s: 6.4.0rc1, 6.4 (plan)
Component/s: Frontend (F)
Labels:
- security

Team:
Team C
Sprint:
Sprint 94 (Nov 2022), Sprint 95 (Dec 2022), Sprint 96 (Jan 2023), Sprint 97 (Feb 2023)
Story Points:
4

Description

CSRF tokens should be generated in a way that is not guessable by the attacker, so if an attacker wants to send a request he should first get the CSRF token to include it in the request. Zabbix UI uses part of a session id as a CSRF token and is never changed between requests (not until the session is changed).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image-2023-01-29-23-35-38-428.png
128 kB
2023 Jan 29 23:35
image-2023-01-29-23-39-21-113.png
122 kB
2023 Jan 29 23:39
image-2023-01-30-13-14-02-890.png
21 kB
2023 Jan 30 13:14
image-2023-01-30-13-15-35-403.png
54 kB
2023 Jan 30 13:15
screenshot-1.png
61 kB
2023 Jan 31 14:15

Issue Links

causes

ZBX-22526 Can't delete just exported template

Closed

ZBX-22811 CSRF token visible in link in Monitoring->Hosts

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...

Activity

People

Assignee:: Gregory Chalenko

Reporter:: Vjaceslavs Bogdanovs

Votes:: 0 Vote for this issue

Watchers:: 13 Start watching this issue

Dates

Created:: 2022 Nov 01 13:45

Updated:: 2023 May 16 16:32

Resolved:: 2023 Feb 19 21:12