[#ZBX-16765] Bypass Auth When using application/x-www-form-urlencoded

[ZBX-16765] Bypass Auth When using application/x-www-form-urlencoded Created: 2019 Oct 14 Updated: 2020 Jul 16 Resolved: 2019 Oct 15
Status:	Closed
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Frontend (F)
Affects Version/s:	4.4.0
Fix Version/s:	None

Type:

Defect (Security)

Priority:

Critical

Reporter:

Mickael Martin

Assignee:

Unassigned

Resolution:

Won't fix

Votes:

Labels:

frontend, security

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Issue Links:

Causes
causes	~~ZBXNEXT-5532~~	Disable Guest user by default	Closed
Duplicate
is duplicated by	~~ZBX-16789~~	CVE-2019-17382 An attacker can bypass...	Closed

Description

Steps to reproduce:

URL affected :
https://TARGET/zabbix/zabbix.php?action=dashboard.view
https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1
https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1
https://TARGET/zabbix/overview.php?ddreset=1
https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1
https://TARGET/zabbix/latest.php?ddreset=1
https://TARGET/zabbix/charts.php?ddreset=1
https://TARGET/zabbix/screens.php?ddreset=1
https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1
https://TARGET/zabbix/srv_status.php?ddreset=1
https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1
https://TARGET/zabbix/hostinventories.php?ddreset=1
https://TARGET/zabbix/report2.php?ddreset=1
https://TARGET/zabbix/toptriggers.php?ddreset=1
https://TARGET/zabbix/zabbix.php?action=dashboard.list
https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1

Content_Type => "application/x-www-form-urlencoded" seams not checked correctly.

Result:
By pass authentication on many url
Expected:
Logon page displayed.

Comments

Comment by Valdis Murzins [ 2019 Oct 14 ]

Hello mma,

From what I see, these pages are accessible, because system has guest account enabled. With enabled guest account, any unauthenticated request is performed by this guest user.
If you want to have these pages accessible only by authenticated users, you should disable the guest account.

Comment by Mickael Martin [ 2019 Oct 15 ]

Yes, exactly. Disable guest user remove access.

You can close, sorry.

Comment by Mickael Martin [ 2019 Oct 15 ]

Disable guest user remove public access (normal !).

Comment by Mickael Martin [ 2019 Oct 15 ]

But maybe you can hide the 'system information' block : the guest can see important informations and know if it's a small/demo server or an important server.

Stats and status seams sensitives informations.

Comment by Valdis Murzins [ 2019 Nov 01 ]

In ~~ZBXNEXT-5532~~ guest user will be disabled by default, as a result, this will not be possible any more in default installation.

Generated at Sat May 30 19:31:09 EEST 2026 using Jira 10.3.18#10030018-sha1:5642e4ad348b6c2a83ebdba689d04763a2393cab.

[ZBX-16765] Bypass Auth When using application/x-www-form-urlencoded Created: 2019 Oct 14 Updated: 2020 Jul 16 Resolved: 2019 Oct 15