[ZBX-12769] Reflected xss vulnerabilities Created: 2017 May 02  Updated: 2024 Apr 10  Resolved: 2017 Sep 12

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 4.0.0alpha1
Fix Version/s: 2.2.20rc1, 3.0.11rc1, 3.2.8rc1, 3.4.2rc1, 4.0.0alpha1, 4.0 (plan)

Type: Defect (Security) Priority: Blocker
Reporter: Vjaceslavs Bogdanovs Assignee: Gregory Chalenko
Resolution: Fixed Votes: 0
Labels: frontend, security, xss
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File reflected_xss.png    
Issue Links:
Sub-task
depends on ZBX-12768 WASA Findings from NSOC Team Closed
Team: Team A
Sprint: Sprint 15, Sprint 16
Story Points: 1

 Description   

There are multiple reflected xss vulnerabilities in frontend.

POC is the following maliciously crafted link ("zabbix.internal" should be replaced with your domain name):
http://zabbix.internal/popup.php?dstfrm=expression&dstfld1=itemid&srctbl=items&srcfld2=name&srcfld1=itemid&dstfld2=%22:alert(document.cookie)%2B%22%22,%22

This link leads to a page with item list. Each item name contains onclick handler with injected script.

Clicking on any of the item names causes script execution:

Another example would be the following link:
http://zabbix.internal/screen.import.php?backurl=javascript:alert(document.cookie)&

Click on "Cancel" button will cause execution of injected script.

 Comments   
Comment by Gregory Chalenko [ 2017 Aug 22 ]

(1) [F] No translation strings changes.

Miks.Kronkalns CLOSED

Comment by Miks Kronkalns [ 2017 Sep 04 ]

Code reviewed.

Comment by Gregory Chalenko [ 2017 Sep 08 ]

Fixed in:

  • 2.2 r72358
  • 3.0 r72361
  • 3.2 r72362
  • 3.4 r72363
  • trunk r72364
Comment by Gregory Chalenko [ 2017 Sep 12 ]

Fixed in:

  • 2.2 r72501
  • 3.0 r72502
  • 3.2 r72503
  • 3.4 r72504
  • trunk r72505
Generated at Thu May 02 01:12:06 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.