ZABBIX 'formatQuery()' Cross Site Scripting Vulnerability

2010.08.05
Credit: Vendor
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Configuration: ========== OS : Linux Debian Lenny (5.0) HTTP Server : Apache 2.2.9 (from debian distribution) PHP 5.2.6 (from debian distribution) Zabbix 1.8.2 Browser : Firefox 3.6.3 (Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3) How to reproduce: ============== In Configuration/Screens: Create a graph in a template named "IO /dev/sda" Create a screen that includes graph above and select "Dynamic item" in graph configuration In Monitoring/Screens: Select this screen Screen is displayed and graph is correctly labeled "IO /dev/sda" In "Host" dropdown list (top left) select an host different from "Default" Screen is redisplayed and graph is incorrectly labeled "IO %252Fdev%252Fsda" It seems that in this scenario, URL is encoded twice. Hope this helps

References:

http://www.vupen.com/english/advisories/2010/1908
https://support.zabbix.com/browse/ZBX-2326
http://xforce.iss.net/xforce/xfdb/60772
http://www.zabbix.com/forum/showthread.php?p=68770
http://www.securityfocus.com/bid/42017
http://secunia.com/advisories/40679


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top