[ZBX-13345] Bypassing CSRF check in screens Created: 2017 Oct 17 Updated: 2024 Apr 10 Resolved: 2018 Jan 18 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | None |
Fix Version/s: | 3.0.15rc1, 3.4.7rc1, 4.0.0alpha3, 4.0 (plan) |
Type: | Defect (Security) | Priority: | Critical |
Reporter: | Vjaceslavs Bogdanovs | Assignee: | Miks Kronkalns |
Resolution: | Fixed | Votes: | 0 |
Labels: | csrf, frontend, js, screen, security, url | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Attachments: | screen_message.png screen_permissions.png too_safe.png user_created.png |
Team: | Team B |
Sprint: | Sprint 23, Sprint 24, Sprint 25 |
Story Points: | 0.25 |
Description |
Long story short: SID should not be available in URL. Consider the following attack vector:
As a PoC I created this kind of script (~45 lines of JS code). When script is executed without SID, the following error (part of social engineering attack) is shown:
Additional problems with CSRF check:
Additional problems with URL elements:
|
Comments |
Comment by Vjaceslavs Bogdanovs [ 2017 Oct 20 ] |
Easy fix is to remove SID from URL and add some notes to security guidelines about same domain policy. |
Comment by Vjaceslavs Bogdanovs [ 2018 Jan 05 ] |
(1) [F] No translation string changes. Miks.Kronkalns Thank you! CLOSED |
Comment by Miks Kronkalns [ 2018 Jan 17 ] |
Fixed:
|