Details
-
Type:
Defect (Security)
-
Status: Closed
-
Priority:
Trivial
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 3.0.27rc1, 4.0.7rc1, 4.2.1rc1, 4.4.0alpha1, 4.4 (plan)
-
Component/s: Server (S)
-
Labels:
-
Team:Team A
-
Story Points:1.5
Description
Currently HOST.CONN macro is used in Ping script (globals script), but it can be used to inject another script into PING like so:
- Setting host ip to {$MACRO}
- Setting macro to "127.0.0.1; cat /etc/zabbix/zabbix_server.conf"
Zabbix server should perform validation of expanded HOST.CONN macro and not execute global script if macro is expanded into something that is not IP / domain name.
Attachments
Issue Links
- mentioned in
-
Page Loading...