-
Incident report
-
Resolution: Won't fix
-
Minor
-
None
-
1.9.9 (beta)
-
None
-
latest trunk r25374
If something wrong with an API request then in a response I can see full path to the source files in a debug section.
Authorized user has "Debug mode" enabled.
Yes, it's full path:
/zab/www-dev/zabbix20/api/classes/class.cusermacro.php
Recently a similar case for frontend has been fixed in ZBX-3840
Request:
{"jsonrpc":"2.0","method":"usermacro.deleteglobal","params":["{$MACRO1}"],"id":0,"auth":"c6f72a1a2ee604002b6bd72b8586335a"}
Response:
{
"jsonrpc":"2.0",
"error":{
"code":-32602,
"message":"Invalid params.",
"data":"Global macro with globalmacroid \"{$MACRO1}\" does not exist.",
"debug":[
{
"file":"/zab/www-dev/zabbix20/api/classes/class.cusermacro.php",
"line":594,
"function":"exception",
"class":"CZBXAPI",
"type":"::",
"args":[
100,
"Global macro with globalmacroid \"{$MACRO1}\" does not exist."
]
... trimmed
- duplicates
-
ZBX-3840 Path Disclosure Vulnerability
- Closed