[ZBX-11284] maintenance.php CSRF Created: 2016 Sep 29  Updated: 2024 Apr 10  Resolved: 2019 May 17

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: None
Fix Version/s: 3.0.28rc1, 4.0.8rc1, 4.2.2rc1, 4.4.0alpha1, 4.4 (plan)

Type: Problem report Priority: Trivial
Reporter: cyy Assignee: Gregory Chalenko
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
Team: Team D
Sprint: Sprint 50 (Mar 2019), Sprint 51 (Apr 2019), Sprint 52 (May 2019)
Story Points: 0.5

 Description    
POST /*****/maintenance.php HTTP/1.1
Host: *****:18443
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://*****:18443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://*****:18443/*****/maintenance.php?form=Create+maintenance+period
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=2l9kk6isfjdp1d795magb11aaf4ekrhr; zbx_sessionid=f9d1db7e92d49fd7f459a371d3dfa4f7;cb_maintenance_parts=0;tab=,//})// ]]><script>alert('xss')</script><img src=1 onerror=alert('xss')><!--
Content-Length: 398

sid=24230519c556deb5&form_refresh=1&form=Create+maintenance+period&active_since=1467216000&active_till=1467302400&mname=&maintenance_type=0&active_since_day=30&active_since_month=06&active_since_year=2016&active_since_hour=00&active_since_minute=00&active_till_day=01&active_till_month=07&active_till_year=2016&active_till_hour=00&active_till_minute=00&description=&new_timeperiod=New&twb_groupid=5


 Comments   
Comment by Oleg Egorov (Inactive) [ 2017 Apr 04 ]

Should be removed SID from URL, when pressing Cancel button. For example, in Configuration->Maintenance

Comment by Vjaceslavs Bogdanovs [ 2018 Jul 27 ]

There are multiple problems mentioned in this ticket:

  1. CSRF
    This one is false positive. Provided example contains SID that is a CSRF token. Removing SID from request will lead to "Operation cannot be performed due to unauthorized request." so no CSRF here.
  2. XSS
    Attack vector is mentioned in this ticket (in example), but the way of getting cookies set that way is unclear and impossible without manualy changing cookies (if we assume that there are no other vulnerabilities used). So we can ignore this one as well.

So this report is false positive for supported Zabbix versions.

Comment by Gregory Chalenko [ 2019 Apr 01 ]

RESOLVED in development branch svn://svn.zabbix.com/branches/dev/ZBX-11284.

Comment by Gregory Chalenko [ 2019 May 07 ]

Fixed in:

  • 3.0.28rc1 b73a7b6143d
  • 4.0.8rc1 3ca92db64cb
  • 4.2.2rc1 17f1f6be695
  • 4.4.0alpha1 ab6d1f2ceb4
Comment by Gregory Chalenko [ 2019 May 15 ]

What was fixed:

  • sid where removed from URL`s in get requests
  • fixed "cancel" button in edit forms
  • "tab" cookie will contain only numeric value
Generated at Thu Jun 26 07:38:17 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.