[ZBX-10272] URL Redirect Created: 2016 Jan 15 Updated: 2020 Jul 16 Resolved: 2019 Feb 17 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 2.2.11 |
Fix Version/s: | None |
Type: | Defect (Security) | Priority: | Minor |
Reporter: | Oliveira Lima | Assignee: | Zabbix Development Team |
Resolution: | Fixed | Votes: | 0 |
Labels: | security | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Attachments: | POC_URL_redirect-131314-15012016.mp4 | ||||||||
Issue Links: |
|
Description |
hello , I would like to report a fault in the request parameter , it allows redirection to external links from happening , which would make it possible for an attacker , using the suitability of the field with zabbix application, phishing attacks. Example: Normal request : http: //server/zabbix/index.php?request=hosts.php Malicious request : http: //server/zabbix/index.php?request=http://fakepage/hosts.php POC attached a video. |
Comments |
Comment by Alexander Vladishev [ 2019 Feb 16 ] |
Closed as duplicate of |
Comment by Oliveira Lima [ 2019 Feb 17 ] |
Years to answer a ticket and apparently respond wrong !? the ticket reported by Miks Kronkalns was on the day 2017 Dec 04 15:52. meu ticket 2016 Jan 15 18:39. I reported it first! |
Comment by Oliveira Lima [ 2019 Feb 17 ] |
Years to answer a ticket and apparently respond wrong !? the ticket reported by Miks Kronkalns was on the day 2017 Dec 04 15:52. meu ticket 2016 Jan 15 18:39. I reported it first! |
Comment by Alexander Vladishev [ 2019 Feb 17 ] |
I wanted to say that this problem was fixed under a different issue, so I closed your issue as a duplicate. |
Comment by Alexander Vladishev [ 2019 Feb 17 ] |
Fixed with
|
Comment by dimir [ 2019 Feb 18 ] |
venon, please do not get us wrong. We respect your input and thank you for taking time and creating this well-detailed ticket. It just happened so that it was easier to fix multiple security issues in one ticket and your issue was fixed there. |