[ZBX-16019] fix host.conn expansion in global scripts - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Trivial
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.0.27rc1, 4.0.7rc1, 4.2.1rc1, 4.4.0alpha1, 4.4 (plan)
Component/s: Server (S)
Labels:
- security
- vulnerability

Team:
Team A
Story Points:
1.5

Description

Currently HOST.CONN macro is used in Ping script (globals script), but it can be used to inject another script into PING like so:

Setting host ip to {$MACRO}
Setting macro to "127.0.0.1; cat /etc/zabbix/zabbix_server.conf"

Zabbix server should perform validation of expanded HOST.CONN macro and not execute global script if macro is expanded into something that is not IP / domain name.

Attachments

Issue Links

mentioned in: Page Loading...

Activity

People

Assignee:: Andrejs Kozlovs

Reporter:: Rostislav Palivoda

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2018 Dec 13 15:19

Updated:: 2020 Jul 16 14:10

Resolved:: 2019 Apr 30 08:58