Details
-
Defect (Security)
-
Resolution: Fixed
-
Major
-
4.0.4
-
Team D
-
Sprint 49 (Feb 2019), Sprint 50 (Mar 2019), Sprint 51 (Apr 2019)
-
0.75
Description
Tested and reproduced with:
Firefox 65.0 and Google Chrome 72.0.3626.109.
Steps:
1. Log into the Zabbix UI and allow the browser to save the credentials.
2. Administration -> Media types -> Create media type.
3. Enter some name for the new media type, click Add.
Result:
Check the added media type in the database - password for the current user has been saved in the "passwd" field.
This leaks user passwords in cleartext where users would not expect.
Reason:
Even though the password field for SMTP was hidden, it was not disabled. Browsers auto-fill such fields and send them to the Zabbix API.
Other suspect areas:
This problem could also be present in item form for items that allow entering password (SSH, telnet etc), or other similar locations.
Possible solutions (both might be desirable):
- Disable hidden password fields.
- Reject in the API media type creation/update with authentication disabled, but credentials supplied.
Regarding the first one, https://core.trac.wordpress.org/ticket/33699 might serve as an inspiration to how Wordpress has handled this (their regressions might be useful checking, too).
Attachments
Issue Links
- is duplicated by
-
ZBX-10572 "Admin" suggested as the default surname
-
- Closed
-