[ZBX-15708] User passwords leaked in media types - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.0.4
Fix Version/s: 4.0.7rc1, 4.2.1rc1, 4.4.0alpha1, 4.4 (plan)
Component/s: Frontend (F)
Labels:
- password
- security

Team:
Team D
Sprint:
Sprint 49 (Feb 2019), Sprint 50 (Mar 2019), Sprint 51 (Apr 2019)
Story Points:
0.75

Description

Tested and reproduced with:
Firefox 65.0 and Google Chrome 72.0.3626.109.

Steps:
1. Log into the Zabbix UI and allow the browser to save the credentials.
2. Administration -> Media types -> Create media type.
3. Enter some name for the new media type, click Add.

Result:
Check the added media type in the database - password for the current user has been saved in the "passwd" field.
This leaks user passwords in cleartext where users would not expect.

Reason:
Even though the password field for SMTP was hidden, it was not disabled. Browsers auto-fill such fields and send them to the Zabbix API.

Other suspect areas:
This problem could also be present in item form for items that allow entering password (SSH, telnet etc), or other similar locations.

Possible solutions (both might be desirable):

Disable hidden password fields.
Reject in the API media type creation/update with authentication disabled, but credentials supplied.

Regarding the first one, https://core.trac.wordpress.org/ticket/33699 might serve as an inspiration to how Wordpress has handled this (their regressions might be useful checking, too).

Attachments

Issue Links

is duplicated by

ZBX-10572 "Admin" suggested as the default surname

Closed

Activity

People

Assignee:: Gregory Chalenko

Reporter:: Alexey Pustovalov

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 2019 Feb 21 15:14

Updated:: 2020 Jul 16 14:10

Resolved:: 2019 Apr 09 22:27