[ZBX-6097] It's possible to override LDAP configuration parameters via the API - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
- api
- security

Description

The user.login method can accept a 'cnf' parameter containing the configuration parameters for LDAP authentication. These parameters will override the configuration in the database. This can be used to authenticate using a completely different LDAP application and is a major security issue.

As a proof of concept, Oleksiy configured Zabbix to use LDAP, then changed the configuration in the database so that authentication wouldn't work. After that he was able to log in by passing correct parameters when calling user.login.

The authentication request looks something like this:

{
"jsonrpc": "2.0",
"method": "user.login",
"params": {
"user": "Admin",
"password": "zabbix",
"cnf":

{ "host": "", "port": "", "base_dn": "", "bind_dn": "", "bind_password": "", "search_attribute": "" }

},
"id": 17,
"auth": "161c074862ae52cc87e16e3584f2ac42"
}

This seems to affect all versions starting from 1.8.1.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

ldap_1-8-2.diff
2 kB
2013 Jan 10 14:32
ldap_2-0-1.diff
2 kB
2013 Jan 10 14:32
ldap_2-1-0.diff
5 kB
2013 Jan 04 12:03

Activity

People

Assignee:: Unassigned

Reporter:: Pavels Jelisejevs (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2012 Dec 20 10:42

Updated:: 2020 Jul 16 14:10

Resolved:: 2013 Jan 04 11:45