[ZBX-12768] WASA Findings from NSOC Team Created: 2017 May 22  Updated: 2024 Apr 10  Resolved: 2018 May 24

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: None
Fix Version/s: 2.2.20rc1, 3.0.11rc1, 3.2.8rc1, 3.4.2rc1, 4.0.0alpha1, 4.0 (plan)

Type: Defect (Security) Priority: Major
Reporter: Eric Lutjen Assignee: Gregory Chalenko
Resolution: Fixed Votes: 0
Labels: frontend, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Zabbix 3.0.9

Issue Links:
Duplicate
is duplicated by ZBX-13093 Cannot use LLD macro in the URL of th... Closed
is duplicated by ZBX-12825 error: Wrong value for url field. Closed
is duplicated by ZBX-11831 Zabbix 2.2.8 - URL redirection Closed
Sub-task
part of ZBX-12769 Reflected xss vulnerabilities Closed
Team: Team D
Team: Team D
Sprint: Sprint 8, Sprint 9, Sprint 10, Sprint 11, Sprint 12, Sprint 13, Sprint 14, Sprint 15, Sprint 32, Sprint 33, Sprint 34
Story Points: 1

 Description   

Our VA NSOC WASA team has found the 2 High Findings during a WASA security Scan and need assistance from Zabbix to address the findings.

1. Web Application is Vulnerable to Stored Cross-Site Scripting (XSS) Attacks

          1.	Login to the Zabbix application 
          2.	Navigate to Maps > Create Map > Add Icon > Add Link > URL:   Name: test URL: javascript:alert('eas') 
          3.	Update Map
          4.	Return to Map
          5.	Click created icon
          6.	Observe JavaScript POC.

2. Web Application is Vulnerable to Cross-Site Request Forgery (CSRF)

1.	Log on to Application
2.	Navigate Administration--> Users --> Create Users
3.	Click attached html
 
4.	Observe new user added


 Comments   
Comment by richlv [ 2017 May 22 ]

"Click attached html" - could you please attach the proof of concept html ?

Comment by Eric Lutjen [ 2017 May 22 ]

From the document provided it seems that I can not save the html file the security team is referencing.

Comment by Oleg Egorov (Inactive) [ 2017 Jun 27 ]

(1) Translation strings changes?

gcalenko RESOLVED No translation string changes

oleg.egorov New strings:

  • Wrong value for url field.

gcalenko CLOSED Thank you.

Comment by Oleg Egorov (Inactive) [ 2017 Aug 09 ]

(4) In map configuration in users.... possible save not allowed URL

gcalenko RESOLVED r71055 r71059 r71063 Added validation for:

  • maps URL field
  • triggers URL field
  • user "after login" URL field

Miks.Kronkalns CLOSED

Comment by Gregory Chalenko [ 2017 Aug 23 ]

Fixed in:

  • 2.2 r71523
Comment by Gregory Chalenko [ 2017 Aug 31 ]

Fixed in:

  • 3.0 r71981
  • 3.2 r72014
  • 3.4 r71998
  • trunk r71999
Comment by Martins Valkovskis [ 2017 Sep 26 ]

Updated documentation about the new constant:

Comment by Ivo Kurzemnieks [ 2018 Feb 16 ]

(11) [D] API documentation?

gcalenko Added changes:

RESOLVED

iivs CLOSED

Generated at Sat Apr 20 17:03:27 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.