Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-17104

Some shell metachars not escaped in action's remote command

    XMLWordPrintable

    Details

    • Team:
      Team C

      Description

      See also similar issue with quoting when call alerts scripts: ZBX-4529

       

      Steps to reproduce:

      1. Setup zabbix from official repo
      2. Write external script to handle zabbix events, place it on zabbix server
      3. Create action in zabbix UI with one of Operations Steps "remote command on zabbix server" (see attached screenshot). Pass some macros to this remote command, for example, {ITEM.VALUE2}. You may either quote macroses/args with single or double quote.
      4. Make this action run several times with values of {ITEM.VALUE2} either with one single quote, with one double quote character.
      5. Lookup for action success or failure with different values of this particular macro (in Reports->Action log).

      Result:

      Sometimes action is failed (when {ITEM.VALUE2} contain single quote if arg is single quoted in remote command, and when it contain double quote if arg is double quoted). See attached screenshot (where value single quoted and result of httptest contains single quote in output). Result is error message from "sh".

      Expected:
      It is expected that either single or double quote characters will be escaped in macro values when it is passed to remote command, so no shell misquoting problem arises.

       

      Note that macro values not always under control of zabbix server administrator and now (in 4.4.3) external attacker may manipulate acquired data to inject malicious shell code in remote command and execute it in context of zabbix server user.

        Attachments

          Activity

            People

            Assignee:
            rvaliahmetovs Renats Valiahmetovs
            Reporter:
            evg-krsk Evgenii Terechkov
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated: