Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-15708

User passwords leaked in media types

    XMLWordPrintable

    Details

    • Team:
      Team D
    • Sprint:
      Sprint 49 (Feb 2019), Sprint 50 (Mar 2019), Sprint 51 (Apr 2019)
    • Story Points:
      0.75

      Description

      Tested and reproduced with:
      Firefox 65.0 and Google Chrome 72.0.3626.109.

      Steps:
      1. Log into the Zabbix UI and allow the browser to save the credentials.
      2. Administration -> Media types -> Create media type.
      3. Enter some name for the new media type, click Add.

      Result:
      Check the added media type in the database - password for the current user has been saved in the "passwd" field.
      This leaks user passwords in cleartext where users would not expect.

      Reason:
      Even though the password field for SMTP was hidden, it was not disabled. Browsers auto-fill such fields and send them to the Zabbix API.

      Other suspect areas:
      This problem could also be present in item form for items that allow entering password (SSH, telnet etc), or other similar locations.

      Possible solutions (both might be desirable):

      • Disable hidden password fields.
      • Reject in the API media type creation/update with authentication disabled, but credentials supplied.

      Regarding the first one, https://core.trac.wordpress.org/ticket/33699 might serve as an inspiration to how Wordpress has handled this (their regressions might be useful checking, too).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              gcalenko Gregory Chalenko
              Reporter:
              dotneft Alexey Pustovalov
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: