broken-graph-1.png
broken-graph-2.png
[ZBX-10319] "stime" parameter for charts.php is not validated and can make Web server consume 100% CPU Created: 2016 Jan 28 Updated: 2020 Jul 16 Resolved: 2016 Feb 16 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Frontend (F) |
| Affects Version/s: | 3.0.0beta1 |
| Fix Version/s: | 2.2.12rc1, 2.4.8rc1, 3.0.1rc1, 3.2.0alpha1 |
| Type: | Defect (Security) | Priority: | Major |
| Reporter: | Aleksandrs Saveljevs | Assignee: | Unassigned |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | graphs, security, validation, vulnerability | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
broken-graph-1.png
broken-graph-2.png
|
| Description |
|
Suppose we usually go into "Monitoring" -> "Graphs" using the following link: http://localhost/zabbix/charts.php?graphid=525&period=3600&stime=20160127113255 The last "stime" parameter looks like an encoded date and time together in a validatable format. However, it is not validated. For instance, if we modify the parameter like so, the Web server will hang using 100% CPU: http://localhost/zabbix/charts.php?graphid=525&period=3600&stime=20000000160127113255 |
| Comments |
| Comment by Oleksii Zagorskyi [ 2016 Jan 29 ] |
|
ZBX-9993 could be related (it mentions strange values for the "stime") oleg.egorov ZBX-9993 issue is not related |
| Comment by Aleksandrs Saveljevs [ 2016 Feb 09 ] |
|
On other platforms it causes graph X-axis labels to be broken:
|
| Comment by Ivo Kurzemnieks [ 2016 Feb 10 ] |
|
(1) No translation string changes. oleg.egorov CLOSED |
| Comment by Ivo Kurzemnieks [ 2016 Feb 10 ] |
|
RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-10319 |
| Comment by Ivo Kurzemnieks [ 2016 Feb 10 ] |
|
This cannot be reproduced on Windows (at least I couldn't). Problem is that getdate() function is giving different results when given time is incorrect. oleg.egorov Confirmed, cannot be reproduced on Windows |
| Comment by Oleg Egorov (Inactive) [ 2016 Feb 11 ] |
|
TESTED |
| Comment by Ivo Kurzemnieks [ 2016 Feb 12 ] |
|
Fixed in:
|
