[#ZBX-5348] More checks required for popup

[ZBX-5348] More checks required for popup_bitem.php Created: 2012 Jul 18 Updated: 2020 Jul 16 Resolved: 2012 Jul 30
Status:	Closed
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Frontend (F)
Affects Version/s:	1.8.15rc1, 2.0.1
Fix Version/s:	1.8.15rc1, 2.0.2rc1, 2.1.0

Type:

Defect (Security)

Priority:

Critical

Reporter:

Oleksii Zagorskyi

Assignee:

Unassigned

Resolution:

Fixed

Votes:

Labels:

security

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Issue Links:

Duplicate

Description

A file "popup_bitem.php" allows to pass argument "itemid" unsanitised.

Comments

Comment by Alexander Vladishev [ 2012 Jul 19 ]

Fixed in pre-2.0.2 r28981 and pre-2.1.0 (beta) r28982.

Comment by Takanori Suzuki [ 2012 Jul 26 ]

Hi.

This issue also affect to Zabbix 1.8.x.
I could make a exploit for 1.8.x by using example from following exploit. It succeeded to get user's session id.
http://www.exploit-db.com/exploits/20087/

I made a patch for Zabbix 1.8.x.
Could you apply my patch to 1.8.x branch?
https://gist.github.com/3181678

Comment by Alexey Fukalov [ 2012 Jul 30 ]

dev branch: svn://svn.zabbix.com/branches/dev/ZBX-5348
this fix should be used for 2.0 and trunk too.

Comment by Toms (Inactive) [ 2012 Jul 31 ]

TESTED

Comment by Alexander Vladishev [ 2012 Aug 01 ]

Also fixed in pre-1.8.15 r29282

Comment by Takanori Suzuki [ 2012 Aug 01 ]

I checked pre-1.8.15 r29282 works good.
My exploit for 1.8.x doesn't get session id any more.
Thank you.

Generated at Fri Apr 19 23:00:40 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.

[ZBX-5348] More checks required for popup_bitem.php Created: 2012 Jul 18 Updated: 2020 Jul 16 Resolved: 2012 Jul 30