[ZBX-5700] Lack of permission checks in Frontend. Created: 2012 Oct 17 Updated: 2017 May 30 Resolved: 2012 Oct 24 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Frontend (F) |
| Affects Version/s: | 2.0.4, 2.1.0 |
| Fix Version/s: | 2.0.4rc1, 2.1.0 |
| Type: | Incident report | Priority: | Minor |
| Reporter: | Eduards Samersovs (Inactive) | Assignee: | Oleg Egorov (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Description |
|
It is possible to open many pages with incorrect ID and see undefined indexes or no data. Instead correct error message must be showen. Code must be similar with: Affected pages: |
| Comments |
| Comment by Oleg Egorov (Inactive) [ 2012 Oct 18 ] |
|
Fixed error after deleting image: |
| Comment by Oleg Egorov (Inactive) [ 2012 Oct 18 ] |
|
Affected pages: oleg.egorov RESOLVED IN svn://svn.zabbix.com/branches/dev/ZBX-5700 r30942 |
| Comment by Eduards Samersovs (Inactive) [ 2012 Oct 22 ] |
|
(1) Require put id validation also on delete. For example in slide shows if we with hands open url "slideconf.php?delete=1&form=update&slideshowid=2000000&sid=45b2c4a742fe312a" with incorrect slideshowid nothing happens, but must be access_deny() error. oleg.egorov RESOLVED |
| Comment by Eduards Samersovs (Inactive) [ 2012 Oct 22 ] |
|
(2) Please move permission checks on top of php script (after input params validation). oleg.egorov RESOLVED IN svn://svn.zabbix.com/branches/dev/ZBX-5700 r31013 |
| Comment by Oleg Egorov (Inactive) [ 2012 Oct 22 ] |
|
Fixed duplicates in audit log after deleting |
| Comment by Oleg Egorov (Inactive) [ 2012 Oct 22 ] |
|
Fixed problem with spaces in audit log |
| Comment by Eduards Samersovs (Inactive) [ 2012 Oct 23 ] |
|
(3) Please use get_slideshow_by_slideshowid() in slideconf.php line 66 oleg.egorov RESOLVED |
| Comment by Eduards Samersovs (Inactive) [ 2012 Oct 23 ] |
|
(4) It's still possible to call page with incorrect IDs through GO methods, for example in slide shows: slideconf.php?shows=1000000&go=delete&sid=45b2c4a742fe312a oleg.egorov RESOLVED |
| Comment by Eduards Samersovs (Inactive) [ 2012 Oct 23 ] |
|
(5) Please rename variable $db_proxy (in proxies.php) to $dbProxies. Because we use "Java style" for variables and "s" because it's return multiple rows. Same for over pages to.. oleg.egorov RESOLVED |
| Comment by Eduards Samersovs (Inactive) [ 2012 Oct 23 ] |
|
(6) If you see old unformatted code be happy to fix it, for example in adm.images.php line:46 oleg.egorov RESOLVED |
| Comment by Eduards Samersovs (Inactive) [ 2012 Oct 23 ] |
|
This issue must fix also oleg.egorov RESOLVED IN svn://svn.zabbix.com/branches/dev/ZBX-5700 r31070 |
| Comment by Eduards Samersovs (Inactive) [ 2012 Oct 25 ] |
|
(7) Suggest do optimization for permissions check on GO, as we discussed. oleg.egorov RESOLVED IN r31080 |
| Comment by Eduards Samersovs (Inactive) [ 2012 Oct 25 ] |
|
Tested! |
| Comment by Oleg Egorov (Inactive) [ 2012 Oct 25 ] |
|
FIXED IN 2.0.4rc1 r31084, 2.1.0(trunk) r31085 |