[ZBX-7981] "Exists" API methods ignore permissions Created: 2014 Mar 21 Updated: 2020 Jul 16 Due: 2014 Apr 30 Resolved: 2014 May 06 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | API (A), Frontend (F) |
Affects Version/s: | 1.8.20, 2.0.11rc2, 2.2.3rc1, 2.3.0 |
Fix Version/s: | 2.3.0 |
Type: | Defect (Security) | Priority: | Major |
Reporter: | Pavels Jelisejevs (Inactive) | Assignee: | Ivo Kurzemnieks |
Resolution: | Fixed | Votes: | 0 |
Labels: | api, security | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Description |
The "exists" methods, which allow to check whether an object matching some criteria, exists does not check permissions. For example, we can find out, if host "Zabbix server" exists, even if we don't have permissions to it. This vulnerability is not that critical, since there are other ways we can find this out: we can try to create a host with the same name, and see if an error is triggered. But in the case with "exists" methods, we have some additional uses: for example, check if an item with a specific key exists on a host we have no permissions to. |
Comments |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Mar 21 ] |
These methods will be deprecated in 2.4 and removed in 2.6. Get methods can be used as an alternative. The issue will be fixed the supported stable releases. |
Comment by Ivo Kurzemnieks [ 2014 Apr 11 ] |
RESOLVED for 1.8 in svn://svn.zabbix.com/branches/dev/ZBX-7981 |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Apr 16 ] |
After some internal discussions we've decided to fix this issue only in 2.4. Fixing it in all releases requires too much work. |
Comment by Ivo Kurzemnieks [ 2014 Apr 17 ] |
(1) Found a related issue when performing host.massupdate and passing one host trying to rename it to an existing template, validation worked iivs RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-7981-trunk r44582 |
Comment by Ivo Kurzemnieks [ 2014 Apr 23 ] |
(2) Translatable strings added: Eduards CLOSED |
Comment by Ivo Kurzemnieks [ 2014 Apr 23 ] |
RESOLVED for 2.3.0 (trunk) svn://svn.zabbix.com/branches/dev/ZBX-7981-trunk r44696 |
Comment by Eduards Samersovs (Inactive) [ 2014 Apr 24 ] |
(3) We can optimize new query in CDRule.create to get all used names for unique validation at once. Same for update. iivs drule.create and drule.update has been improved. RESOLVED in r44771 Eduards REOPEN,
iivs RESOLVED in r44913 (drule.update changes r44917) Eduards REOPEN in CDRule.php:490 You create array with unique names and after validate for duplicates iivs Array did not contain unique names. After discussion we decided to slighty refactor the code there. RESOLVED in r44952, 44953 Eduards CLOSED |
Comment by Eduards Samersovs (Inactive) [ 2014 Apr 24 ] |
(4) Same optimization also can be done in Graph validation. Also seems in CGraph.php:394 we don't need to make zbx_strtolower() because we can save graphs with name "a" and "A". Also please keep empty line before "if.." in CGraph.php:393, it's hard to read code without "delimiters". Same in GraphPrototype iivs Agree, it would be good to optimize it, but for graphs it's more complacated and because we're now moving away from original issue, optimization will be done in separate issue. However, indeed, there was a bug when comparing case insensitive names. This has been RESOLVED in r44874 Eduards REOPEN, Ok, so change comparison to strict in CGraph.php:394 and CGraphPrototype.php:406 iivs Yes, sorry, I forgot. RESOLVED in r44914 Eduards CLOSED |
Comment by Eduards Samersovs (Inactive) [ 2014 Apr 24 ] |
(5) Same optimization can be done in CHostGroups.create(), CImage.create(), CMaintenance.create(), CTemplate.validateCreate(), CUserGroup.create(). Same also in multiple places in XML import. Other improvements will be moved to separate issue in the near future. I made some improvements in following APIs:
Also code CMaintenance.php:500-507 can be optimized
Eduards REOPEN
iivs Cannot reproduce last problem. I tried also with fresh install. Refactoring (as discussed) RESOLVED in r44954 ----------------- Eduards CLOSED |
Comment by Eduards Samersovs (Inactive) [ 2014 Apr 24 ] |
(6) CTemplate.php:994,1009,1031,1046 - limit=1 is not needed because in db can be only one template with the given name. |
Comment by Eduards Samersovs (Inactive) [ 2014 Apr 29 ] |
Tested |
Comment by Ivo Kurzemnieks [ 2014 Apr 29 ] |
Implemented and fixed in pre-2.3.0 (trunk) r44991 |
Comment by richlv [ 2014 Apr 29 ] |
(7) one of the changelog entries does not follow the guidelines
from the guidelines :
iivs RESOLVED in r45008 <richlv> looking great, thanks -> CLOSED |
Comment by richlv [ 2014 Apr 29 ] |
(8) the comment says "optimized several API create and updated methods to query existing names all at once instead of each iteration" - thanks for mentioning it, but could you please list all methods that have been optimised ? iivs Yes, trunk only (fixed versions says so). <richlv> thanks, CLOSED |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 06 ] |
(9) The CApiService::deprecated() method must not be called statically. iivs RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-7981 r45090 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 06 ] |
(10) Updated the API docs:
iivs REVIEWED. Looks good. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 07 ] |
TESTED. |
Comment by Ivo Kurzemnieks [ 2014 May 07 ] |
Deprecated "exists" methods corrected to non-static. Fixed in pre-2.3.0 (trunk) r45138 |