[#ZBX-13260] Guest have access to script execution link

[ZBX-13260] Guest have access to script execution link Created: 2017 Aug 29 Updated: 2024 Apr 10 Resolved: 2017 Dec 27
Status:	Closed
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Frontend (F)
Affects Version/s:	4.0.0alpha1
Fix Version/s:	3.0.14rc1, 3.2.11rc1, 3.4.5rc1, 4.0.0alpha1, 4.0 (plan)

Type:

Defect (Security)

Priority:

Critical

Reporter:

Natalja Romancaka

Assignee:

Miks Kronkalns

Resolution:

Fixed

Votes:

Labels:

scripts, security

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Team:

Team A

Team:

Team A

Sprint:

Sprint 19, Sprint 21, Sprint 22

Story Points:

0.5

Description

Guest can open script execution link, for example /scripts_exec.php?hostid=10084&scriptid=1
So guest can change script and host ids to see confidential information, for example host ip

Thanks to vjaceslavs

Comments

Comment by Vjaceslavs Bogdanovs [ 2017 Oct 20 ]

Permission checks should be added to scripts_exec.php. Can be done in a few hours (not more than 3).

Comment by Miks Kronkalns [ 2017 Nov 22 ]

RESOLVED in ^/branches/dev/DEV-656 r74880

Comment by Miks Kronkalns [ 2017 Nov 22 ]

(1) No translation string changes.

vjaceslavs CLOSED

Comment by Miks Kronkalns [ 2017 Nov 22 ]

Removed v2.2 from 'Fix Version/s' because it is not affected.

Comment by Miks Kronkalns [ 2017 Nov 28 ]

Fixed:

3.0.14rc1 r75126
3.2.11rc1 r75127
3.4.5rc1 r75128
4.0.0alpha1 (trunk) r75129

Generated at Fri Apr 19 07:44:47 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.

[ZBX-13260] Guest have access to script execution link Created: 2017 Aug 29 Updated: 2024 Apr 10 Resolved: 2017 Dec 27