zabbix_cookie1.png
zabbix_xss2.png
[ZBX-3835] Cross Site Scripting Vulnerability Created: 2011 May 23 Updated: 2017 May 30 Resolved: 2011 Jul 28 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Frontend (F) |
| Affects Version/s: | None |
| Fix Version/s: | 1.8.6 |
| Type: | Incident report | Priority: | Minor |
| Reporter: | Damian Tommasino | Assignee: | Unassigned |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Any |
||
| Attachments: |
zabbix_cookie1.png
zabbix_xss2.png
|
| Description |
|
The acknow.php page is vulnerable to reflected XSS attacks. The following section of code doesn't sanitize data properly: if(isset($_REQUEST['saveandreturn'])) { $url = new CUrl(urldecode($_REQUEST['backurl'])); jsRedirect($url->getUrl()); exit(); }The $_REQUEST['backurl'] parameter can be manipulated to perform the XSS attack. Using a proxy capture the parameters request and replace the backurl parameter with the following: </script><script>alert('XSS');</script> (see attachment for PoC). Fix: Sanitze the backurl request parameter and don't assume the user is going to leave the <url>.php in place |
| Comments |
| Comment by Alexey Fukalov [ 2011 Jul 14 ] |
|
dev branch: svn://svn.zabbix.com/branches/dev/ZBX-3835 |
| Comment by Alexey Fukalov [ 2011 Jul 28 ] |
|
svn://svn.zabbix.com/branches/1.8 -r20789 |
