ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-6097

It's possible to override LDAP configuration parameters via the API

    Details

    • Type: Incident report Incident report
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      The user.login method can accept a 'cnf' parameter containing the configuration parameters for LDAP authentication. These parameters will override the configuration in the database. This can be used to authenticate using a completely different LDAP application and is a major security issue.

      As a proof of concept, Oleksiy configured Zabbix to use LDAP, then changed the configuration in the database so that authentication wouldn't work. After that he was able to log in by passing correct parameters when calling user.login.

      The authentication request looks something like this:

      {
      "jsonrpc": "2.0",
      "method": "user.login",
      "params": {
      "user": "Admin",
      "password": "zabbix",
      "cnf":

      { "host": "", "port": "", "base_dn": "", "bind_dn": "", "bind_password": "", "search_attribute": "" }

      },
      "id": 17,
      "auth": "161c074862ae52cc87e16e3584f2ac42"
      }

      This seems to affect all versions starting from 1.8.1.

      1. ldap_1-8-2.diff
        2 kB
        Pavels Jelisejevs
      2. ldap_2-0-1.diff
        2 kB
        Pavels Jelisejevs
      3. ldap_2-1-0.diff
        5 kB
        Pavels Jelisejevs

        Activity

        Pavels Jelisejevs (Inactive) created issue -
        Oleksiy Zagorskyi made changes -
        Field Original Value New Value
        Description The user.login method can accept a 'cnf' parameter containing the configuration parameters for LDAP authentication. These parameters will override the configuration in the database. This can be used to authenticate using a completely different LDAP application and is a major security issue.

        As a proof of concept, Oleksiy configured Zabbix to use LDAP, then changed the configuration in the database so that authentication wouldn't work. After that he was able to log in by passing correct parameters when calling user.login.

        The authentication request looks something like this:

        {
            "jsonrpc": "2.0",
            "method": "user.login",
            "params": {
                "user": "Admin",
                "password": "zabbix",
                "cnf": {
                    "host": "",
                    "port": "",
                    "base_dn": "",
                    "bind_dn": "",
                    "bind_password": "",
                    "search_attribute": "uid"
                }
            },
            "id": 17,
            "auth": "161c074862ae52cc87e16e3584f2ac42"
        }

        This seems to affect all versions starting from 1.8.1.
        The user.login method can accept a 'cnf' parameter containing the configuration parameters for LDAP authentication. These parameters will override the configuration in the database. This can be used to authenticate using a completely different LDAP application and is a major security issue.

        As a proof of concept, Oleksiy configured Zabbix to use LDAP, then changed the configuration in the database so that authentication wouldn't work. After that he was able to log in by passing correct parameters when calling user.login.

        The authentication request looks something like this:

        {
            "jsonrpc": "2.0",
            "method": "user.login",
            "params": {
                "user": "Admin",
                "password": "zabbix",
                "cnf": {
                    "host": "",
                    "port": "",
                    "base_dn": "",
                    "bind_dn": "",
                    "bind_password": "",
                    "search_attribute": ""
                }
            },
            "id": 17,
            "auth": "161c074862ae52cc87e16e3584f2ac42"
        }

        This seems to affect all versions starting from 1.8.1.
        Pavels Jelisejevs (Inactive) made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Pavels Jelisejevs (Inactive) made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Toms made changes -
        Assignee Pavels Jelisejevs [ jelisejev ] Toms [ tomtom ]
        Toms made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Assignee Toms [ tomtom ] Pavels Jelisejevs [ jelisejev ]
        Pavels Jelisejevs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Toms [ tomtom ]
        Resolution Fixed [ 1 ]
        Toms made changes -
        Assignee Toms [ tomtom ] Pavels Jelisejevs [ jelisejev ]
        Pavels Jelisejevs (Inactive) made changes -
        Attachment ldap_1-8-16.diff [ 21221 ]
        Attachment ldap_2-0-5.diff [ 21222 ]
        Attachment ldap_2-1-0.diff [ 21223 ]
        Pavels Jelisejevs (Inactive) made changes -
        Project ZABBIX-DEV [ 10010 ] ZABBIX BUGS AND ISSUES [ 10000 ]
        Key DEV-524 ZBX-6097
        Workflow jira [ 27515 ] Zabbix workflow [ 27662 ]
        Pavels Jelisejevs (Inactive) made changes -
        Attachment ldap_1-8-16.diff [ 21221 ]
        Pavels Jelisejevs (Inactive) made changes -
        Attachment ldap_2-0-5.diff [ 21222 ]
        Pavels Jelisejevs (Inactive) made changes -
        Attachment ldap_1-8-2.diff [ 21278 ]
        Attachment ldap_2-0-1.diff [ 21279 ]
        Alexei Vladishev made changes -
        Zabbix ID NA RTF
        Pavels Jelisejevs (Inactive) made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Alexei Vladishev made changes -
        Workflow Zabbix workflow [ 27662 ] Zabbix workflow - new [ 46767 ]
        Alexander Vladishev made changes -
        Workflow Zabbix workflow - new [ 46767 ] Copy of Zabbix workflow - new [ 66919 ]
        Alexander Vladishev made changes -
        Workflow Copy of Zabbix workflow - new [ 66919 ] Zabbix workflow - new [ 82139 ]
        Gatis Rumbens made changes -
        Issue Type Bug [ 1 ] Incident report [ 10110 ]
        Zabbix ID RTF
        Assignee Pavels Jelisejevs [ jelisejev ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Pavels Jelisejevs (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: