[ZBX-16019] fix host.conn expansion in global scripts Created: 2018 Dec 13 Updated: 2024 Apr 10 Resolved: 2019 Apr 30 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Server (S) |
Affects Version/s: | None |
Fix Version/s: | 3.0.27rc1, 4.0.7rc1, 4.2.1rc1, 4.4.0alpha1, 4.4 (plan) |
Type: | Defect (Security) | Priority: | Trivial |
Reporter: | Rostislav Palivoda | Assignee: | Andrejs Kozlovs |
Resolution: | Fixed | Votes: | 0 |
Labels: | security, vulnerability | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Team: | Team A |
Team: | Team A |
Story Points: | 1.5 |
Description |
Currently HOST.CONN macro is used in Ping script (globals script), but it can be used to inject another script into PING like so:
Zabbix server should perform validation of expanded HOST.CONN macro and not execute global script if macro is expanded into something that is not IP / domain name. |
Comments |
Comment by Alexander Vladishev [ 2018 Dec 14 ] |
HOST.IP, IPADDRESS and HOST.DNS also must be validated |
Comment by Andrejs Kozlovs [ 2019 Apr 12 ] |
Fixed in:
|