Hello,
I am using Zabbix server 2.4.4 on Debian (amd64).
Let assume that we have the following item defined in zabbix_agentd.conf:
UserParameter=my.item[*],ps ax | grep '$1'
And from the tempalte the item has this set as key:
my.item["firefox"]
And if someone hacks my Zabbix frontend, he or she can change my argument from firefox to something like firefox'; rm -rf /
I tried it with replacing firefox with firefox'; mkdir /tmp/HACKED
And it worked: the directory was created, because the command becomes ps aux | grep 'firefox'; mkdir /tmp/HACKED'
How to prevent such injection? Is my job to escape every argument? Is there any easy way to do it? Thank you!
I am using Zabbix server 2.4.4 on Debian (amd64).
Let assume that we have the following item defined in zabbix_agentd.conf:
UserParameter=my.item[*],ps ax | grep '$1'
And from the tempalte the item has this set as key:
my.item["firefox"]
And if someone hacks my Zabbix frontend, he or she can change my argument from firefox to something like firefox'; rm -rf /
I tried it with replacing firefox with firefox'; mkdir /tmp/HACKED
And it worked: the directory was created, because the command becomes ps aux | grep 'firefox'; mkdir /tmp/HACKED'
How to prevent such injection? Is my job to escape every argument? Is there any easy way to do it? Thank you!
Comment