Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-6097

It's possible to override LDAP configuration parameters via the API

    XMLWordPrintable

Details

    • Defect (Security)
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • None
    • None
    • None

    Description

      The user.login method can accept a 'cnf' parameter containing the configuration parameters for LDAP authentication. These parameters will override the configuration in the database. This can be used to authenticate using a completely different LDAP application and is a major security issue.

      As a proof of concept, Oleksiy configured Zabbix to use LDAP, then changed the configuration in the database so that authentication wouldn't work. After that he was able to log in by passing correct parameters when calling user.login.

      The authentication request looks something like this:

      {
      "jsonrpc": "2.0",
      "method": "user.login",
      "params": {
      "user": "Admin",
      "password": "zabbix",
      "cnf":

      { "host": "", "port": "", "base_dn": "", "bind_dn": "", "bind_password": "", "search_attribute": "" }

      },
      "id": 17,
      "auth": "161c074862ae52cc87e16e3584f2ac42"
      }

      This seems to affect all versions starting from 1.8.1.

      Attachments

        1. ldap_1-8-2.diff
          2 kB
        2. ldap_2-0-1.diff
          2 kB
        3. ldap_2-1-0.diff
          5 kB

        Activity

          People

            Unassigned Unassigned
            jelisejev Pavels Jelisejevs (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: