Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-15708

User passwords leaked in media types

    XMLWordPrintable

Details

    • Team D
    • Sprint 49 (Feb 2019), Sprint 50 (Mar 2019), Sprint 51 (Apr 2019)
    • 0.75

    Description

      Tested and reproduced with:
      Firefox 65.0 and Google Chrome 72.0.3626.109.

      Steps:
      1. Log into the Zabbix UI and allow the browser to save the credentials.
      2. Administration -> Media types -> Create media type.
      3. Enter some name for the new media type, click Add.

      Result:
      Check the added media type in the database - password for the current user has been saved in the "passwd" field.
      This leaks user passwords in cleartext where users would not expect.

      Reason:
      Even though the password field for SMTP was hidden, it was not disabled. Browsers auto-fill such fields and send them to the Zabbix API.

      Other suspect areas:
      This problem could also be present in item form for items that allow entering password (SSH, telnet etc), or other similar locations.

      Possible solutions (both might be desirable):

      • Disable hidden password fields.
      • Reject in the API media type creation/update with authentication disabled, but credentials supplied.

      Regarding the first one, https://core.trac.wordpress.org/ticket/33699 might serve as an inspiration to how Wordpress has handled this (their regressions might be useful checking, too).

      Attachments

        Issue Links

          Activity

            People

              gcalenko Gregory Chalenko
              dotneft Alexey Pustovalov
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: