Zabbix server accepts unauthenticated requests to execute remote command

XMLWordPrintable

    • Type: Incident report
    • Resolution: Duplicate
    • Priority: Major
    • None
    • Affects Version/s: 3.0.6, 3.2.2
    • Component/s: Server (S)
    • None
    • Environment:
      Any

      Zabbix server accepts request "command" without any authentication attributes, so attacker can use known scriptid and hostid (simply dumped with tcpdump or such) to DoS remote hosts monitored by Zabbix server.

      I think this is a security bug, because, for exampler, queue.get accepts sid parameter though this is not subject for DoS attacks.

            Assignee:
            Unassigned
            Reporter:
            Andrey A. Konovalov
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: