[ZBX-6952] Stored XSS in page_header.php Created: 2013 Sep 04  Updated: 2017 May 30  Resolved: 2013 Sep 18

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 2.0.8
Fix Version/s: 2.0.9rc1, 2.1.5

Type: Incident report Priority: Critical
Reporter: Lincoln Assignee: Ivo Kurzemnieks
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Ubuntu


 Description   

The default_theme is set by an administrative user who has access to adm.gui.php

adm.gui.php:
$configs = array(
'default_theme' => get_request('default_theme'),
...
update_config($configs)

default_theme is not sanitized before being stored in the database

page_header.php:
$css = $config['default_theme'];
<body class="<?php echo $css; ?>">

Example:
http://zabbixserver/zabbix/adm.gui.php?sid=f449c57db01c1234&form_refresh=1&form_refresh=1&default_theme=originalblue">test1234<script>alert("xss")</script>&dropdown_first_entry=1&dropdown_first_remember=1&search_limit=1000&max_in_table=50&event_ack_enable=1&event_expire=7&event_show_max=100&server_check_interval=10&save=Save

(change sid to valid admin sid)

Response:
<body class="originalblue">
test1234
<script>
alert("xss")
</script>
/main.css" />

page_header.php is called in every page

blah@blah:/var/www/zabbix$ grep -i "page_header" ./*
/acknow.php:require_once dirname(_FILE_).'/include/page_header.php';
./actionconf.php:require_once dirname(_FILE_).'/include/page_header.php';
./adm.gui.php:require_once dirname(_FILE_).'/include/page_header.php';
./adm.housekeeper.php:require_once dirname(_FILE_).'/include/page_header.php';
./adm.iconmapping.php:require_once dirname(_FILE_).'/include/page_header.php';
....truncated....

The theme saved is displayed for every user on every page, making this critical.

Thanks

-Lincoln

 Comments   
Comment by Ivo Kurzemnieks [ 2013 Sep 17 ]

RESOLVED for 2.0 in svn://svn.zabbix.com/branches/dev/ZBX-6952

Comment by Pavels Jelisejevs (Inactive) [ 2013 Sep 17 ]

(1) The same vulnerability exists on the profile and user configuration pages.

iivs RESOLVED for 2.0 svn://svn.zabbix.com/branches/dev/ZBX-6952 in r38546 (ChangeLog update in r38547)

jelisejev It also has to be fixed on the user configuration page (users.php).

iivs RESOLVED in r38560

jelisejev CLOSED.

Comment by Pavels Jelisejevs (Inactive) [ 2013 Sep 17 ]

(2) The name of the CSS theme file and body class must be escaped in page_header.php.

iivs RESOLVED for 2.0 svn://svn.zabbix.com/branches/dev/ZBX-6952 in r38546 (ChangeLog update in r38547)

jelisejev CLOSED.

Comment by Pavels Jelisejevs (Inactive) [ 2013 Sep 17 ]

(3) Please add theme validation in the users API (trunk only).

iivs RESOLVED for trunk in svn://svn.zabbix.com/branches/dev/ZBX-6952-trunk r38553

jelisejev I've made some changes in r38555, please review.

iivs REVIEWED. Thanks! Made a small update for trunk regarding (1). See r38559

jelisejev CLOSED.

Comment by Pavels Jelisejevs (Inactive) [ 2013 Sep 17 ]

TESTED.

Comment by Ivo Kurzemnieks [ 2013 Sep 17 ]

Fixed in pre-2.0.9rc1 r38565 and pre-2.1.5 (trunk) r38566

Comment by Pavels Jelisejevs (Inactive) [ 2013 Sep 18 ]

(4) The fix for theme validation should be noted in the 2.2 API changelog.

iivs RESOLVED.
Please review: https://www.zabbix.com/documentation/2.2/manual/api/changes_2.0_-_2.2?do=diff&rev2[0]=1379489843&rev2[1]=

jelisejev CLOSED.

Generated at Thu Apr 25 17:15:29 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.