Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-15708

User passwords leaked in media types

XMLWordPrintable

    • Sprint 49 (Feb 2019), Sprint 50 (Mar 2019), Sprint 51 (Apr 2019)
    • 0.75

      Tested and reproduced with:
      Firefox 65.0 and Google Chrome 72.0.3626.109.

      Steps:
      1. Log into the Zabbix UI and allow the browser to save the credentials.
      2. Administration -> Media types -> Create media type.
      3. Enter some name for the new media type, click Add.

      Result:
      Check the added media type in the database - password for the current user has been saved in the "passwd" field.
      This leaks user passwords in cleartext where users would not expect.

      Reason:
      Even though the password field for SMTP was hidden, it was not disabled. Browsers auto-fill such fields and send them to the Zabbix API.

      Other suspect areas:
      This problem could also be present in item form for items that allow entering password (SSH, telnet etc), or other similar locations.

      Possible solutions (both might be desirable):

      • Disable hidden password fields.
      • Reject in the API media type creation/update with authentication disabled, but credentials supplied.

      Regarding the first one, https://core.trac.wordpress.org/ticket/33699 might serve as an inspiration to how Wordpress has handled this (their regressions might be useful checking, too).

            gcalenko Gregory Chalenko
            dotneft Alexey Pustovalov
            Team D
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: