[ZBX-6952] Stored XSS in page_header.php Created: 2013 Sep 04 Updated: 2017 May 30 Resolved: 2013 Sep 18 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 2.0.8 |
Fix Version/s: | 2.0.9rc1, 2.1.5 |
Type: | Incident report | Priority: | Critical |
Reporter: | Lincoln | Assignee: | Ivo Kurzemnieks |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Ubuntu |
Description |
The default_theme is set by an administrative user who has access to adm.gui.php adm.gui.php: default_theme is not sanitized before being stored in the database page_header.php: Example: (change sid to valid admin sid) Response: page_header.php is called in every page blah@blah:/var/www/zabbix$ grep -i "page_header" ./* The theme saved is displayed for every user on every page, making this critical. Thanks -Lincoln |
Comments |
Comment by Ivo Kurzemnieks [ 2013 Sep 17 ] |
RESOLVED for 2.0 in svn://svn.zabbix.com/branches/dev/ZBX-6952 |
Comment by Pavels Jelisejevs (Inactive) [ 2013 Sep 17 ] |
(1) The same vulnerability exists on the profile and user configuration pages. iivs RESOLVED for 2.0 svn://svn.zabbix.com/branches/dev/ZBX-6952 in r38546 (ChangeLog update in r38547) jelisejev It also has to be fixed on the user configuration page (users.php). iivs RESOLVED in r38560 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2013 Sep 17 ] |
(2) The name of the CSS theme file and body class must be escaped in page_header.php. iivs RESOLVED for 2.0 svn://svn.zabbix.com/branches/dev/ZBX-6952 in r38546 (ChangeLog update in r38547) jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2013 Sep 17 ] |
(3) Please add theme validation in the users API (trunk only). iivs RESOLVED for trunk in svn://svn.zabbix.com/branches/dev/ZBX-6952-trunk r38553 jelisejev I've made some changes in r38555, please review. iivs REVIEWED. Thanks! Made a small update for trunk regarding (1). See r38559 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2013 Sep 17 ] |
TESTED. |
Comment by Ivo Kurzemnieks [ 2013 Sep 17 ] |
Fixed in pre-2.0.9rc1 r38565 and pre-2.1.5 (trunk) r38566 |
Comment by Pavels Jelisejevs (Inactive) [ 2013 Sep 18 ] |
(4) The fix for theme validation should be noted in the 2.2 API changelog. iivs RESOLVED. jelisejev CLOSED. |