Hi, On Sun, 13 Nov 2016 21:23:30 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: > On Sun, Nov 13, 2016 at 09:00:58PM +0100, Salvatore Bonaccorso wrote: > > I'm not sure the subject is correct in stating that versions only > > below 3.0.3 are affected. Looking from the changes in api_jsonrpc.php > > it does not look yet fixed. Can you confirm? > > > > Is upstream actually aware of the issue? Is a fix available? > > From a quick test on a unstable vm this seem still the case for the > current unstable version.
https://support.zabbix.com/browse/ZBX-11483 Quote from richlv (upstream): > doesn't look like it - the exploit-db example logs in as Admin, then > does script.update, followed by script.execute - it does not connect to > the trapper port directly but goes through the frontend. > > that looks like somebody with the superadmin rights using a feature as > intended... not sure anything can/should be done about it. Similarly, I'm not convinced there's a bug here at all. Thanks, James
signature.asc
Description: OpenPGP digital signature