[ZBX-2450] no security measures are taken for external checks Created: 2010 May 21  Updated: 2024 Apr 10  Resolved: 2019 Mar 12

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Server (S)
Affects Version/s: 1.8.2
Fix Version/s: None

Type: Defect (Security) Priority: Critical
Reporter: Aleksandrs Saveljevs Assignee: Andrejs Kozlovs
Resolution: Duplicate Votes: 2
Labels: externalchecks, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates ZBX-3647 keys of external checks do not confor... Closed
duplicates ZBX-12963 Unable to pass $ sign to external check Closed
is duplicated by ZBX-12920 Context macros are not expanded prope... Closed
is duplicated by ZBX-9701 Special character $ doesn't pass in e... Closed
Team: Team A
Sprint: Sprint 50 (Mar 2019)

 Description   

We might wish to do more security checking for external checks, similar to what ZBX-790 and ZBX-1575 did for UserParameters. Currently, absolutely no security checks are performed. I have not tried, but this should work: non-existent.sh[ || rm -rf / ].

 Comments   
Comment by Aleksandrs Saveljevs [ 2017 Aug 25 ]

Note that even though external checks use a different key format after ZBX-3647, it is still possible to do things like echo.sh[$HOME], echo.sh[$(seq 1 5)], and echo.sh[`seq 1 5`]. This is because the arguments are passed to the shell in double quotes in get_value_external() in src/zabbix_server/poller/checks_external.c, unlike in alerts in execute_action() in src/zabbix_server/alerter/alerter.c (as of current 3.2 branch).

Generated at Thu Apr 25 04:02:34 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.