[ZBX-5700] Lack of permission checks in Frontend. Created: 2012 Oct 17 Updated: 2017 May 30 Resolved: 2012 Oct 24 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 2.0.4, 2.1.0 |
Fix Version/s: | 2.0.4rc1, 2.1.0 |
Type: | Incident report | Priority: | Minor |
Reporter: | Eduards Samersovs (Inactive) | Assignee: | Oleg Egorov (Inactive) |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
Description |
It is possible to open many pages with incorrect ID and see undefined indexes or no data. Instead correct error message must be showen. Code must be similar with: Affected pages: |
Comments |
Comment by Oleg Egorov (Inactive) [ 2012 Oct 18 ] |
Fixed error after deleting image: |
Comment by Oleg Egorov (Inactive) [ 2012 Oct 18 ] |
Affected pages: oleg.egorov RESOLVED IN svn://svn.zabbix.com/branches/dev/ZBX-5700 r30942 |
Comment by Eduards Samersovs (Inactive) [ 2012 Oct 22 ] |
(1) Require put id validation also on delete. For example in slide shows if we with hands open url "slideconf.php?delete=1&form=update&slideshowid=2000000&sid=45b2c4a742fe312a" with incorrect slideshowid nothing happens, but must be access_deny() error. oleg.egorov RESOLVED |
Comment by Eduards Samersovs (Inactive) [ 2012 Oct 22 ] |
(2) Please move permission checks on top of php script (after input params validation). oleg.egorov RESOLVED IN svn://svn.zabbix.com/branches/dev/ZBX-5700 r31013 |
Comment by Oleg Egorov (Inactive) [ 2012 Oct 22 ] |
Fixed duplicates in audit log after deleting |
Comment by Oleg Egorov (Inactive) [ 2012 Oct 22 ] |
Fixed problem with spaces in audit log |
Comment by Eduards Samersovs (Inactive) [ 2012 Oct 23 ] |
(3) Please use get_slideshow_by_slideshowid() in slideconf.php line 66 oleg.egorov RESOLVED |
Comment by Eduards Samersovs (Inactive) [ 2012 Oct 23 ] |
(4) It's still possible to call page with incorrect IDs through GO methods, for example in slide shows: slideconf.php?shows=1000000&go=delete&sid=45b2c4a742fe312a oleg.egorov RESOLVED |
Comment by Eduards Samersovs (Inactive) [ 2012 Oct 23 ] |
(5) Please rename variable $db_proxy (in proxies.php) to $dbProxies. Because we use "Java style" for variables and "s" because it's return multiple rows. Same for over pages to.. oleg.egorov RESOLVED |
Comment by Eduards Samersovs (Inactive) [ 2012 Oct 23 ] |
(6) If you see old unformatted code be happy to fix it, for example in adm.images.php line:46 oleg.egorov RESOLVED |
Comment by Eduards Samersovs (Inactive) [ 2012 Oct 23 ] |
This issue must fix also oleg.egorov RESOLVED IN svn://svn.zabbix.com/branches/dev/ZBX-5700 r31070 |
Comment by Eduards Samersovs (Inactive) [ 2012 Oct 25 ] |
(7) Suggest do optimization for permissions check on GO, as we discussed. oleg.egorov RESOLVED IN r31080 |
Comment by Eduards Samersovs (Inactive) [ 2012 Oct 25 ] |
Tested! |
Comment by Oleg Egorov (Inactive) [ 2012 Oct 25 ] |
FIXED IN 2.0.4rc1 r31084, 2.1.0(trunk) r31085 |