Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-11691

Zabbix server accepts unauthenticated requests to execute remote command

    XMLWordPrintable

Details

    • Incident report
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 3.0.6, 3.2.2
    • None
    • Server (S)
    • None
    • Any

    Description

      Zabbix server accepts request "command" without any authentication attributes, so attacker can use known scriptid and hostid (simply dumped with tcpdump or such) to DoS remote hosts monitored by Zabbix server.

      I think this is a security bug, because, for exampler, queue.get accepts sid parameter though this is not subject for DoS attacks.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              drvtiny Andrey A. Konovalov
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: