Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-4529

Some shell metachars not escaped when call alert script

    Details

      Description

      When alerter call external script, it can pass some information including last item value as commandline arguments.
      Item value can contain some information out of zabbix administrator countrol such as web page content.
      And when this information pass to commandline, shell meta-characters such as '$', '~', '@' and even '`' not escaped.
      Due to this, hacker can execute arbitrary code on zabbix server if he has access to monitored web-page, alert action configured as external script, last value included in the message body and item value is web page content.

      Solution I propose is to call external scripts by exec() function and not via "/bin/sh -c".
      Another solution - pass message body to external script via stdin - is not solve the same (hypothetic) problem with subject.
      Escape all shell meta-characters before call script seems ugly for me.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              pgulchuk Pavel
            • Votes:
              5 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: